[gnutls-devel] GnuTLS | gnutls-cli - incomplete DANE support (#557)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Thu Jul 25 10:10:44 CEST 2024
Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/557#note_2015464532
I admit I do not fully understand the issue, but in the current implementation, "Certificate usage=2 (DANE-TA Trust anchor assertion)" is mapped to `DANE_CERT_USAGE_LOCAL_CA`, which is only checked without `--no-ca-verification` (i.e., `!(vflags & DANE_VFLAG_ONLY_CHECK_EE_USAGE)` [here](https://gitlab.com/gnutls/gnutls/-/blob/ef5a574e3acc358e2a6f7c4efaeb21bef15f9349/libdane/dane.c#L771)), and since all the certs have usage=2, loop ends without verification and returns `DANE_E_REQUESTED_DATA_NOT_AVAILABLE`.
Do you think it should be also evaluated in EE only verification?
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/557#note_2015464532
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20240725/02aada23/attachment.html>
More information about the Gnutls-devel
mailing list