[gnutls-devel] GnuTLS | gnutls-cli - incomplete DANE support (#557)

[Development of GNU's TLS library]

Nikos Mavrogiannopoulos @nmav wrote
> I do not think we have the X now, at least automatically.

That what I tried to convey in my message, sorry if it was not clear enough.

> We only support dane/TLSA as a separate mechanism for certificate validation. Do you think we need some text clarifying that?

I personally *think* gnutls-cli dane support is not very useful as it is, i.e. this is not a documentation issue but an incomplete feature.

Let's assume I want to use gnutls-cli to check whether I have set up DANE correctly. What do I need to do?
1. Use dig or danetool to view the TLSA record(s) and find whether DANE-TA/DANE-EE or PKIX-TA/PKIX-EE is used.
2. Choose a gnutls-cli invocation
   - a For DANE-TA and/or DANE-EE use gnutls-cli --no-ca-verification --dane
   - b For PKIX-TA and/or PKIX-EE do not set --no-ca-verification
   - c For mixed records as an additional step look at the certificate to decide whether to got to 2a or 2b.

This is a little bit simplified because the correct choice (DANE- or PKIX-) is protocol dependent. (Opportunistic TLS like SMTP should not use PKIX-* and DANE-* does not make sense for https because browsers require a signature by trusted CA.) However I think we agree that it does not make sense to implement these arcane (possibly changing) policies in gnutls-cli.

I do think though that the above 1/2abc should not be necessary, assuming the TLS-A choice is correct gnutls-cli should be able to verify trust , taking DANE correctly into account.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/557#note_105303856
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20180929/2b30c0ec/attachment.html>