[gnutls-devel] GnuTLS | gnutls-cli - incomplete DANE support (#557)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Sat Sep 29 18:29:50 CEST 2018
Nikos Mavrogiannopoulos @nmav wrote
> I do not think we have the X now, at least automatically.
That what I tried to convey in my message, sorry if it was not clear enough.
> We only support dane/TLSA as a separate mechanism for certificate validation. Do you think we need some text clarifying that?
I personally *think* gnutls-cli dane support is not very useful as it is, i.e. this is not a documentation issue but an incomplete feature.
Let's assume I want to use gnutls-cli to check whether I have set up DANE correctly. What do I need to do?
1. Use dig or danetool to view the TLSA record(s) and find whether DANE-TA/DANE-EE or PKIX-TA/PKIX-EE is used.
2. Choose a gnutls-cli invocation
- a For DANE-TA and/or DANE-EE use gnutls-cli --no-ca-verification --dane
- b For PKIX-TA and/or PKIX-EE do not set --no-ca-verification
- c For mixed records as an additional step look at the certificate to decide whether to got to 2a or 2b.
This is a little bit simplified because the correct choice (DANE- or PKIX-) is protocol dependent. (Opportunistic TLS like SMTP should not use PKIX-* and DANE-* does not make sense for https because browsers require a signature by trusted CA.) However I think we agree that it does not make sense to implement these arcane (possibly changing) policies in gnutls-cli.
I do think though that the above 1/2abc should not be necessary, assuming the TLS-A choice is correct gnutls-cli should be able to verify trust , taking DANE correctly into account.
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/557#note_105303856
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel