<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<div></div>
<h2 dir="auto">
<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>
<p dir="auto">p11tool(1) says</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">--check=string</span>
<span id="LC2" class="line" lang="plaintext"> Check a host's DANE TLSA entry.</span>
<span id="LC3" class="line" lang="plaintext"></span>
<span id="LC4" class="line" lang="plaintext"> Obtains the DANE TLSA entry from the given hostname and prints information. Note</span>
<span id="LC5" class="line" lang="plaintext"> that the actual certificate of the host can be provided using --load-certificate,</span>
<span id="LC6" class="line" lang="plaintext"> otherwise danetool will connect to the server to obtain it. The exit code on verification</span>
<span id="LC7" class="line" lang="plaintext"> success will be zero.</span></code></pre>
<p dir="auto">I understood this to mean that p11tool actually does trust verification. However afaict this is somewhere in between a syntax check and a trust path validation. I <em>think</em> p11tool uses the following steps:</p>
<ol dir="auto">
<li>Pull the TLSA record</li>
<li>Connect to the host and get receive the provided certificate chain.</li>
<li>Verify the server certificate using the provided certificate chain and TLSA record, i.e.
<ul>
<li>with certificate usage 0 or 2 check for a signing certificate in the chain</li>
<li>with certificate usage 1 or 3 check that the server cert matches the fingerprint in the TLSA record.</li>
<li>The local trust store is never consulted.</li>
</ul>
</li>
</ol>
<p dir="auto">I do understand that it might make sense to not consult the local trust-store since <em>gnutls-cli --dane</em> already exists.</p>
<h2 dir="auto">
<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>
<p dir="auto">gnutls GIT <a href="https://gitlab.com/gnutls/gnutls/commit/d4624761e3893314d5504a6ecbc9da6ff758bc41" data-original="d4624761e3893314d5504a6ecbc9da6ff758bc41" data-link="false" data-link-reference="false" data-project="179611" data-commit="d4624761e3893314d5504a6ecbc9da6ff758bc41" data-reference-type="commit" data-container="body" data-placement="bottom" title="Merge branch 'tmp-document-none' into 'master'" class="gfm gfm-commit has-tooltip">d4624761</a> (15 Aug 2018) - post 3.6.3</p>
<h2 dir="auto">
<a id="user-content-distributor-of-gnutls-eg-ubuntu-fedora-rhel" class="anchor" href="#distributor-of-gnutls-eg-ubuntu-fedora-rhel" aria-hidden="true"></a>Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)</h2>
<p dir="auto">Debian</p>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/558">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/bef1070201518b74d9b2de05c69601b2/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/558"}}</script>
</p>
</div>
</body>
</html>