[gnutls-devel] GnuTLS | gnutls-cli - incomplete DANE support (#557)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Sat Sep 8 19:04:36 CEST 2018
New Issue was created.
Issue 557: https://gitlab.com/gnutls/gnutls/issues/557
Author: Andreas Metzler
## Description of problem:
gnutls-cli DANE support is incomplete. Even when certificate usage in the TLSA record specifies "trust anchor assertion" or "domain-issued certificate" the trust check requires a match in the local trust-store.
## Version of gnutls used:
3.6.3 + git d4624761e3893314d5504a6ecbc9da6ff758bc41 (August 15 2018)
Also applies to 3.5.x
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
## How reproducible:
Steps to Reproduce:
1. Make sure that Let's Encrypt CA is not in trust-store
2. gnutls-cli --dane lists.gentoo.org --starttls-proto=smtp < /dev/null
## Actual results:
The connection fails with "The certificate is NOT trusted".
## Expected results:
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/557
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel