[gnutls-devel] GnuTLS | gnutls-cli - incomplete DANE support (#557)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Sat Sep 8 19:04:36 CEST 2018
New Issue was created.
Issue 557: https://gitlab.com/gnutls/gnutls/issues/557
Author: Andreas Metzler
Assignee:
## Description of problem:
gnutls-cli DANE support is incomplete. Even when certificate usage in the TLSA record specifies "trust anchor assertion" or "domain-issued certificate" the trust check requires a match in the local trust-store.
## Version of gnutls used:
3.6.3 + git d4624761e3893314d5504a6ecbc9da6ff758bc41 (August 15 2018)
Also applies to 3.5.x
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Debian/experimental
## How reproducible:
Steps to Reproduce:
1. Make sure that Let's Encrypt CA is not in trust-store
2. gnutls-cli --dane lists.gentoo.org --starttls-proto=smtp < /dev/null
## Actual results:
The connection fails with "The certificate is NOT trusted".
## Expected results:
Successful connection.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/557
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20180908/82842755/attachment.html>
More information about the Gnutls-devel
mailing list