[exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!

Jeremy Harris via Exim-users Mon, 08 Jul 2024 03:40:56 -0700

On 07/07/2024 17:10, Viktor Dukhovni via Exim-users wrote:

What the server's TLSA records in that case?


(testsuite syntax, but you get the gist)

DNSSEC mxdane512ee          MX  1  dane512ee
DNSSEC dane512ee            A      HOSTIPV4

DNSSEC _1225._tcp.dane512ee TLSA 3 1 2 
e8173aaefffadc6c96700f7f396a17b8e590ebd15b081f1455abb152afecceb16a5534707ecd64611c8b6d8b9111f82e3fa954b98c6b230cda0e9be386747b71

 Could the use of SNI
depend on usage DANE-EE(3).

 In this case all the TLSA records are "2 1 1".
Also the TLSA records are behind a CNAME


With a (single) 2 1 1 TLSA behind a CNAME, we still record an SNI having been 
presented:

DNSSEC mxdane256tak          MX  1  dane256tak
DNSSEC dane256tak            A      HOSTIPV4
DNSSEC _1225._tcp.dane256tak CNAME  _tlsa._tcp.dane256tak
DNSSEC _tlsa._tcp.dane256tak TLSA 2 1 1 
beabbe636030e4c26d15a015e878c2a607ed5a87774443ffbc6991ec01d2b6b1

Server log line:

1999-03-02 09:44:33 10HmbB-000000005vi-0000 <= <> H=the.local.host.name 
(myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no 
SNI=dane256tak.test.ex S=sss id=e10hmba-000000005vi-0...@myhost.test.ex for 
t...@mxdane256tak.test.ex
                                                                                
                                                                            
^^^^^^^^^^^^^^^^^^^^^^


--
Cheers,
  Jeremy


--
## subscription configuration (requires account):
##   https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
##   exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!

Reply via email to