[gnutls-devel] DANE: Verification failed for TLSA record with usage=0
Ondřej Caletka
Ondrej.Caletka at cesnet.cz
Thu Sep 18 09:48:04 CEST 2014
Hello,
I've deployed TLSA records for www.cesnet.cz. I've used swede utility to
constrain allowed CA and according to swede, the record is valid:
$ ./swede verify www.cesnet.cz
Received the following record for name _443._tcp.www.cesnet.cz.:
Usage: 0 (CA Constraint)
Selector: 0 (Certificate)
Matching Type: 1 (SHA-256)
Certificate for Association:
5c428b013b2e3f0d30abb5bebd92d066dc06dc223329eb0fc735609946cf8e1c
This record is valid (well-formed).
Attempting to verify the record with the TLS service...
Got the following IP: 195.113.144.230
SUCCESS (Usage 0): A certificate in the certificate chain offered by the
server matches the one mentioned in the TLSA record and is a CA certificate
The matched certificate has Subject: /C=NL/O=TERENA/CN=TERENA SSL CA
However, ehen trying to validate this TLSA record using danetool from
GnuTLS 3.3.7, I get validation error:
$ danetool --check www.cesnet.cz --proto tcp --port 443
Resolving 'www.cesnet.cz'...
Obtaining certificate from '2001:718:1:101::4:443'...
Querying DNS for www.cesnet.cz (tcp:443)...
_443._tcp.www.cesnet.cz. IN TLSA ( 00 00 01
5c428b013b2e3f0d30abb5bebd92d066dc06dc223329eb0fc735609946cf8e1c )
Certificate usage: CA (00)
Certificate type: X.509 (00)
Contents: SHA2-256 hash (01)
Data:
5c428b013b2e3f0d30abb5bebd92d066dc06dc223329eb0fc735609946cf8e1c
Verification: Verification failed. CA constrains were violated.
I believe this is a bug in GnuTLS. Other DANE implementations sees the
TLSA record as valid.
--
Best regards
Ondřej Caletka
CESNET
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5563 bytes
Desc: Elektronicky podpis S/MIME
URL: </pipermail/attachments/20140918/ed4ff7bb/attachment.bin>
More information about the Gnutls-devel
mailing list