[gnutls-devel] DANE: Verification failed for TLSA record with usage=0

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Sep 18 19:32:36 CEST 2014

On Thu, Sep 18, 2014 at 9:48 AM, Ondřej Caletka
<Ondrej.Caletka at cesnet.cz> wrote:
> Hello,
> I've deployed TLSA records for www.cesnet.cz. I've used swede utility to
> constrain allowed CA and according to swede, the record is valid:
> However, ehen trying to validate this TLSA record using danetool from
> GnuTLS 3.3.7, I get validation error:
> $ danetool --check www.cesnet.cz --proto tcp --port 443
> Resolving 'www.cesnet.cz'...
> Obtaining certificate from '2001:718:1:101::4:443'...
> Querying DNS for www.cesnet.cz (tcp:443)...
> _443._tcp.www.cesnet.cz. IN TLSA ( 00 00 01
> 5c428b013b2e3f0d30abb5bebd92d066dc06dc223329eb0fc735609946cf8e1c )
> Certificate usage: CA (00)
> Certificate type:  X.509 (00)
> Contents:          SHA2-256 hash (01)
> Data:
> 5c428b013b2e3f0d30abb5bebd92d066dc06dc223329eb0fc735609946cf8e1c

 Danetool requires that if the CA type is used, the CA should be the
immediate CA that signed your certificate. In your case the hash is
not of the CA that signed your certificate but from the CA that signed
your CA's certificate. That is an artificial danetool restriction that
would make sense to lift.


More information about the Gnutls-devel mailing list