[gnutls-devel] DANE: Verification failed for TLSA record with usage=0
Ondrej.Caletka at cesnet.cz
Thu Sep 18 09:48:04 CEST 2014
I've deployed TLSA records for www.cesnet.cz. I've used swede utility to
constrain allowed CA and according to swede, the record is valid:
$ ./swede verify www.cesnet.cz
Received the following record for name _443._tcp.www.cesnet.cz.:
Usage: 0 (CA Constraint)
Selector: 0 (Certificate)
Matching Type: 1 (SHA-256)
Certificate for Association:
This record is valid (well-formed).
Attempting to verify the record with the TLS service...
Got the following IP: 22.214.171.124
SUCCESS (Usage 0): A certificate in the certificate chain offered by the
server matches the one mentioned in the TLSA record and is a CA certificate
The matched certificate has Subject: /C=NL/O=TERENA/CN=TERENA SSL CA
However, ehen trying to validate this TLSA record using danetool from
GnuTLS 3.3.7, I get validation error:
$ danetool --check www.cesnet.cz --proto tcp --port 443
Obtaining certificate from '2001:718:1:101::4:443'...
Querying DNS for www.cesnet.cz (tcp:443)...
_443._tcp.www.cesnet.cz. IN TLSA ( 00 00 01
Certificate usage: CA (00)
Certificate type: X.509 (00)
Contents: SHA2-256 hash (01)
Verification: Verification failed. CA constrains were violated.
I believe this is a bug in GnuTLS. Other DANE implementations sees the
TLSA record as valid.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5563 bytes
Desc: Elektronicky podpis S/MIME
More information about the Gnutls-devel