[gnutls-devel] GnuTLS | Unclear extent of functionality of danetool --check (#558)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Sat Sep 8 19:22:34 CEST 2018
New Issue was created.
Issue 558: https://gitlab.com/gnutls/gnutls/issues/558
Author: Andreas Metzler
Assignee:
## Description of problem:
p11tool(1) says
```
--check=string
Check a host's DANE TLSA entry.
Obtains the DANE TLSA entry from the given hostname and prints information. Note
that the actual certificate of the host can be provided using --load-certificate,
otherwise danetool will connect to the server to obtain it. The exit code on verification
success will be zero.
```
I understood this to mean that p11tool actually does trust verification. However afaict this is somewhere in between a syntax check and a trust path validation. I *think* p11tool uses the following steps:
1. Pull the TLSA record
2. Connect to the host and get receive the provided certificate chain.
3. Verify the server certificate using the provided certificate chain and TLSA record, i.e.
- with certificate usage 0 or 2 check for a signing certificate in the chain
- with certificate usage 1 or 3 check that the server cert matches the fingerprint in the TLSA record.
- The local trust store is never consulted.
I do understand that it might make sense to not consult the local trust-store since _gnutls-cli --dane_ already exists.
## Version of gnutls used:
gnutls GIT d4624761e3893314d5504a6ecbc9da6ff758bc41 (15 Aug 2018) - post 3.6.3
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Debian
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/558
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20180908/1b3fc055/attachment-0001.html>
More information about the Gnutls-devel
mailing list