[gnutls-devel] DANE: Verification failed for TLSA record with usage=0
nmav at gnutls.org
Thu Sep 18 19:32:36 CEST 2014
On Thu, Sep 18, 2014 at 9:48 AM, Ondřej Caletka
<Ondrej.Caletka at cesnet.cz> wrote:
> I've deployed TLSA records for www.cesnet.cz. I've used swede utility to
> constrain allowed CA and according to swede, the record is valid:
> However, ehen trying to validate this TLSA record using danetool from
> GnuTLS 3.3.7, I get validation error:
> $ danetool --check www.cesnet.cz --proto tcp --port 443
> Resolving 'www.cesnet.cz'...
> Obtaining certificate from '2001:718:1:101::4:443'...
> Querying DNS for www.cesnet.cz (tcp:443)...
> _443._tcp.www.cesnet.cz. IN TLSA ( 00 00 01
> 5c428b013b2e3f0d30abb5bebd92d066dc06dc223329eb0fc735609946cf8e1c )
> Certificate usage: CA (00)
> Certificate type: X.509 (00)
> Contents: SHA2-256 hash (01)
Danetool requires that if the CA type is used, the CA should be the
immediate CA that signed your certificate. In your case the hash is
not of the CA that signed your certificate but from the CA that signed
your CA's certificate. That is an artificial danetool restriction that
would make sense to lift.
More information about the Gnutls-devel