[gnutls-devel] DANE: Verification failed for TLSA record with usage=0

Ondřej Caletka Ondrej.Caletka at cesnet.cz
Thu Sep 18 09:48:04 CEST 2014


I've deployed TLSA records for www.cesnet.cz. I've used swede utility to
constrain allowed CA and according to swede, the record is valid:

$ ./swede verify www.cesnet.cz
Received the following record for name _443._tcp.www.cesnet.cz.:
        Usage:                          0 (CA Constraint)
        Selector:                       0 (Certificate)
        Matching Type:                  1 (SHA-256)
        Certificate for Association:
This record is valid (well-formed).
Attempting to verify the record with the TLS service...
Got the following IP:
SUCCESS (Usage 0): A certificate in the certificate chain offered by the
server matches the one mentioned in the TLSA record and is a CA certificate
The matched certificate has Subject: /C=NL/O=TERENA/CN=TERENA SSL CA

However, ehen trying to validate this TLSA record using danetool from
GnuTLS 3.3.7, I get validation error:

$ danetool --check www.cesnet.cz --proto tcp --port 443
Resolving 'www.cesnet.cz'...
Obtaining certificate from '2001:718:1:101::4:443'...
Querying DNS for www.cesnet.cz (tcp:443)...
_443._tcp.www.cesnet.cz. IN TLSA ( 00 00 01
5c428b013b2e3f0d30abb5bebd92d066dc06dc223329eb0fc735609946cf8e1c )
Certificate usage: CA (00)
Certificate type:  X.509 (00)
Contents:          SHA2-256 hash (01)

Verification: Verification failed. CA constrains were violated.

I believe this is a bug in GnuTLS. Other DANE implementations sees the
TLSA record as valid.

Best regards

Ondřej Caletka

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5563 bytes
Desc: Elektronicky podpis S/MIME
URL: </pipermail/attachments/20140918/ed4ff7bb/attachment.bin>

More information about the Gnutls-devel mailing list