Hi, > Would you consider adding support for RFC6698 Domain Authentication of > Named Entities (DANE) Transport Layer Association within OpenSSL to > facilitate the wide spread adoption of this technology.
There is initial support committed to 1.0.2 branch. This goes against usual practice of developing new features in development HEAD branch first and then back-porting it to stable branch. The reason is to facilitate development with existing libunbound deployments that are dependent on OpenSSL 1.0.x. In order to start testing ensure that you have installed libunbound, both binary and development packages, download 1.0.2 branch (as snapshot from ftp.openssl.org or checking out OpenSSL_1_0_2-stable), configure with 'experimental-dane experimental-libunbound shared' arguments and start testing with LD_LIBRARY_PATH set to directory where OpenSSL 1.0.2 was built. Goal is to iron out details prior 1.0.2 release and promote the feature to optional. Programming notes. Application is expected to pass packed TLSA record to libssl with new SSL_ctrl code prior performing handshake. Rationale is that that pulling TLSA record is potentially blocking operation, which is hardly unacceptable in cases when non-blocking operation is desired. In order to facilitate the operation there is additional interface, SSL_get_tlsa_record_byname, accepting hostname, port and socket type that returns packed TLSA record. In order to make it even easier there is additional SSL_ctrl function that calls SSL_get_tlsa_record_byname for you. Latter is recommended for programmers that wish to maintain broader binary compatibility, e.g. make application work with both 1.0.2 and prior version (in which case call to SSL_ctrl with new code returning error would have to be ignored when running with prior version). The code is rather crude for the moment and todo list includes - move libunbound configuration to config file (as opposite to hard-coding location of resolv.conf and trust anchor); - extend error handling; - pull at config time and allow dynamic load of versioned libunbound.so.x (for the time being there is run-time dependency on libunbound development package, which should be removed); - debug on platforms other than Linux; This is in addition to some still open questions about how implementation should work. So do provide feedback. Pointer to TLSA records of different types are welcomed (for the moment it was tested only against dane.verisignlabs.com, which has only usage type 3). ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
