&<<CHAPTLS>>& for details of TLS support and chapter &<<CHAPsmtptrans>>& for
details of the &(smtp)& transport.
+.vitem &$tls_out_dane$&
+.vindex &$tls_out_dane$&
+DANE active status. See section &<<SECDANE>>&.
+
.vitem &$tls_in_ocsp$&
.vindex "&$tls_in_ocsp$&"
When a message is received from a remote client connection
SMTP deliveries, this variable reflects the value of the &%tls_sni%& option on
the transport.
+.vitem &$tls_out_tlsa_usage$&
+.vindex &$tls_out_tlsa_usage$&
+Bitfield of TLSA record types found. See section &<<SECDANE>>&.
+
.vitem &$tod_bsdinbox$&
.vindex "&$tod_bsdinbox$&"
The time of day and the date, in the format required for BSD-style mailbox
TLS session for any host that matches this list.
&%tls_verify_certificates%& should also be set for the transport.
+.new
+.option hosts_require_dane smtp "host list&!!" unset
+.cindex DANE "transport options"
+.cindex DANE "requiring for certain servers"
+If built with DANE support, Exim will require that a DNSSEC-validated
+TLSA record is present for any host matching the list,
+and that a DANE-verified TLS connection is made.
+There will be no fallback to in-clear communication.
+See section &<<SECDANE>>&.
+.wen
+
.option hosts_require_ocsp smtp "host list&!!" unset
.cindex "TLS" "requiring for certain servers"
Exim will request, and check for a valid Certificate Status being given, on a
CHUNKING support, Exim will attempt to use BDAT commands rather than DATA.
BDAT will not be used in conjunction with a transport filter.
+.new
+.option hosts_try_dane smtp "host list&!!" unset
+.cindex DANE "transport options"
+.cindex DANE "attempting for certain servers"
+If built with DANE support, Exim will lookup a
+TLSA record for any host matching the list.
+If found and verified by DNSSEC,
+a DANE-verified TLS connection is made to that host;
+there will be no fallback to in-clear communication.
+See section &<<SECDANE>>&.
+.wen
+
.option hosts_try_fastopen smtp "host list&!!" unset
.cindex "fast open, TCP" "enabling, in client"
.cindex "TCP Fast Open" "enabling, in client"
+.new
+.section DANE "SECDANE"
+.cindex DANE
+DNS-based Authentication of Named Entities, as applied to SMTP over TLS, provides assurance to a client that
+it is actually talking to the server it wants to rather than some attacker operating a Man In The Middle (MITM)
+operation. The latter can terminate the TLS connection you make, and make another one to the server (so both
+you and the server still think you have an encrypted connection) and, if one of the "well known" set of
+Certificate Authorities has been suborned - something which *has* been seen already (2014), a verifiable
+certificate (if you're using normal root CAs, eg. the Mozilla set, as your trust anchors).
+
+What DANE does is replace the CAs with the DNS as the trust anchor. The assurance is limited to a) the possibility
+that the DNS has been suborned, b) mistakes made by the admins of the target server. The attack surface presented
+by (a) is thought to be smaller than that of the set of root CAs.
+
+It also allows the server to declare (implicitly) that connections to it should use TLS. An MITM could simply
+fail to pass on a server's STARTTLS.
+
+DANE scales better than having to maintain (and side-channel communicate) copies of server certificates
+for every possible target server. It also scales (slightly) better than having to maintain on an SMTP
+client a copy of the standard CAs bundle. It also means not having to pay a CA for certificates.
+
+DANE requires a server operator to do three things: 1) run DNSSEC. This provides assurance to clients
+that DNS lookups they do for the server have not been tampered with. The domain MX record applying
+to this server, its A record, its TLSA record and any associated CNAME records must all be covered by
+DNSSEC.
+2) add TLSA DNS records. These say what the server certificate for a TLS connection should be.
+3) offer a server certificate, or certificate chain, in TLS connections which is traceable to the one
+defined by (one of?) the TSLA records
+
+There are no changes to Exim specific to server-side operation of DANE.
+Support for client-side operation of DANE can be included at compile time by defining SUPPORT_DANE=yes
+in &_Local/Makefile_&.
+If it has been included, the macro "_HAVE_DANE" will be defined.
+
+The TLSA record for the server may have "certificate usage" of DANE-TA(2) or DANE-EE(3). The latter specifies
+the End Entity directly, i.e. the certificate involved is that of the server (and should be the sole one transmitted
+during the TLS handshake); this is appropriate for a single system, using a self-signed certificate.
+DANE-TA usage is effectively declaring a specific CA to be used; this might be a private CA or a public,
+well-known one. A private CA at simplest is just a self-signed certificate which is used to sign
+cerver certificates, but running one securely does require careful arrangement. If a private CA is used
+then either all clients must be primed with it, or (probably simpler) the server TLS handshake must transmit
+the entire certificate chain from CA to server-certificate. If a public CA is used then all clients must be primed with it
+(losing one advantage of DANE) - but the attack surface is reduced from all public CAs to that single CA.
+DANE-TA is commonly used for several services and/or servers, each having a TLSA query-domain CNAME record,
+all of which point to a single TLSA record.
+
+The TLSA record should have a Selector field of SPKI(1) and a Matching Type field of SHA2-512(2).
+
+At the time of writing, &url(https://www.huque.com/bin/gen_tlsa)
+is useful for quickly generating TLSA records; and commands like
+
+.code
+ openssl x509 -in -pubkey -noout <certificate.pem \
+ | openssl rsa -outform der -pubin 2>/dev/null \
+ | openssl sha512 \
+ | awk '{print $2}'
+.endd
+
+are workable for 4th-field hashes.
+
+For use with the DANE-TA model, server certificates must have a correct name (SubjectName or SubjectAltName).
+
+The use of OCSP-stapling should be considered, allowing for fast revocation of certificates (which would otherwise
+be limited by the DNS TTL on the TLSA records). However, this is likely to only be usable with DANE-TA. NOTE: the
+default of requesting OCSP for all hosts is modified iff DANE is in use, to:
+
+.code
+ hosts_request_ocsp = ${if or { {= {0}{$tls_out_tlsa_usage}} \
+ {= {4}{$tls_out_tlsa_usage}} } \
+ {*}{}}
+.endd
+
+The (new) variable &$tls_out_tlsa_usage$& is a bitfield with numbered bits set for TLSA record usage codes.
+The zero above means DANE was not in use, the four means that only DANE-TA usage TLSA records were
+found. If the definition of &%hosts_request_ocsp%& includes the
+string "tls_out_tlsa_usage", they are re-expanded in time to
+control the OCSP request.
+
+This modification of hosts_request_ocsp is only done if it has the default value of "*". Admins who change it, and
+those who use &%hosts_require_ocsp%&, should consider the interaction with DANE in their OCSP settings.
+
+
+For client-side DANE there are two new smtp transport options, &%hosts_try_dane%& and &%hosts_require_dane%&.
+The latter variant will result in failure if the target host is not DNSSEC-secured.
+
+DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA records.
+
+A TLSA lookup will be done if either of the above options match and the host-lookup succeeded using dnssec.
+If a TLSA lookup is done and succeeds, a DANE-verified TLS connection
+will be required for the host. If it does not, the host will not
+be used; there is no fallback to non-DANE or non-TLS.
+
+If DANE is requested and useable (see above) the following transport options are ignored:
+.code
+ hosts_require_tls
+ tls_verify_hosts
+ tls_try_verify_hosts
+ tls_verify_certificates
+ tls_crl
+ tls_verify_cert_hostnames
+.endd
+
+If DANE is not usable, whether requested or not, and CA-anchored
+verification evaluation is wanted, the above variables should be set appropriately.
+
+Currently the &%dnssec_request_domains%& must be active and &%dnssec_require_domains%& is ignored.
+
+If verification was successful using DANE then the "CV" item in the delivery log line will show as "CV=dane".
+
+There is a new variable &$tls_out_dane$& which will have "yes" if
+verification succeeded using DANE and "no" otherwise (only useful
+in combination with EXPERIMENTAL_EVENT), and a new variable &$tls_out_tlsa_usage$& (detailed above).
+
+Under GnuTLS, DANE is only supported from version 3.0.0 onwards.
+.wen
+
+
+
. ////////////////////////////////////////////////////////////////////////////
. ////////////////////////////////////////////////////////////////////////////
unchanged, or whether they should be rendered as escape sequences.
.next
.cindex "log" "certificate verification"
+.cindex log DANE
+.cindex DANE logging
&%tls_certificate_verified%&: An extra item is added to <= and => log lines
when TLS is in use. The item is &`CV=yes`& if the peer's certificate was
-verified, and &`CV=no`& if not.
+verified
+.new
+using a CA trust anchor,
+&`CA=dane`& if using a DNS trust anchor,
+.wen
+and &`CV=no`& if not.
.next
.cindex "log" "TLS cipher"
.cindex "TLS" "logging cipher"
macro text after a replacement (previously it was only once per line) and
by skipping builtin macros when searching for an uppercase lead character.
+JH/20 DANE support moved from Experimental to mainline. The Makefile control
+ for the build is renamed.
+
Exim version 4.90
-----------------
1. Dual-certificate stacks on servers now support OCSP stapling, under GnuTLS
version 3.5.6 or later.
- 2. DANE is now supported under GnuTLS version 3.0.0 or later (adding to the
- previous OpenSSL implementation, but still Experimental).
+ 2. DANE is now supported under GnuTLS version 3.0.0 or later. Both GnuTLS and
+ OpenSSL versions are moved to mainline support from Experimental.
3. Feature macros for the compiled-in set of malware scanner interfaces.
-DANE
-------------------------------------------------------------
-DNS-based Authentication of Named Entities, as applied
-to SMTP over TLS, provides assurance to a client that
-it is actually talking to the server it wants to rather
-than some attacker operating a Man In The Middle (MITM)
-operation. The latter can terminate the TLS connection
-you make, and make another one to the server (so both
-you and the server still think you have an encrypted
-connection) and, if one of the "well known" set of
-Certificate Authorities has been suborned - something
-which *has* been seen already (2014), a verifiable
-certificate (if you're using normal root CAs, eg. the
-Mozilla set, as your trust anchors).
-
-What DANE does is replace the CAs with the DNS as the
-trust anchor. The assurance is limited to a) the possibility
-that the DNS has been suborned, b) mistakes made by the
-admins of the target server. The attack surface presented
-by (a) is thought to be smaller than that of the set
-of root CAs.
-
-It also allows the server to declare (implicitly) that
-connections to it should use TLS. An MITM could simply
-fail to pass on a server's STARTTLS.
-
-DANE scales better than having to maintain (and
-side-channel communicate) copies of server certificates
-for every possible target server. It also scales
-(slightly) better than having to maintain on an SMTP
-client a copy of the standard CAs bundle. It also
-means not having to pay a CA for certificates.
-
-DANE requires a server operator to do three things:
-1) run DNSSEC. This provides assurance to clients
-that DNS lookups they do for the server have not
-been tampered with. The domain MX record applying
-to this server, its A record, its TLSA record and
-any associated CNAME records must all be covered by
-DNSSEC.
-2) add TLSA DNS records. These say what the server
-certificate for a TLS connection should be.
-3) offer a server certificate, or certificate chain,
-in TLS connections which is traceable to the one
-defined by (one of?) the TSLA records
-
-There are no changes to Exim specific to server-side
-operation of DANE.
-
-The TLSA record for the server may have "certificate
-usage" of DANE-TA(2) or DANE-EE(3). The latter specifies
-the End Entity directly, i.e. the certificate involved
-is that of the server (and should be the sole one transmitted
-during the TLS handshake); this is appropriate for a
-single system, using a self-signed certificate.
- DANE-TA usage is effectively declaring a specific CA
-to be used; this might be a private CA or a public,
-well-known one. A private CA at simplest is just
-a self-signed certificate which is used to sign
-cerver certificates, but running one securely does
-require careful arrangement. If a private CA is used
-then either all clients must be primed with it, or
-(probably simpler) the server TLS handshake must transmit
-the entire certificate chain from CA to server-certificate.
-If a public CA is used then all clients must be primed with it
-(losing one advantage of DANE) - but the attack surface is
-reduced from all public CAs to that single CA.
-DANE-TA is commonly used for several services and/or
-servers, each having a TLSA query-domain CNAME record,
-all of which point to a single TLSA record.
-
-The TLSA record should have a Selector field of SPKI(1)
-and a Matching Type field of SHA2-512(2).
-
-At the time of writing, https://www.huque.com/bin/gen_tlsa
-is useful for quickly generating TLSA records; and commands like
-
- openssl x509 -in -pubkey -noout <certificate.pem \
- | openssl rsa -outform der -pubin 2>/dev/null \
- | openssl sha512 \
- | awk '{print $2}'
-
-are workable for 4th-field hashes.
-
-For use with the DANE-TA model, server certificates
-must have a correct name (SubjectName or SubjectAltName).
-
-The use of OCSP-stapling should be considered, allowing
-for fast revocation of certificates (which would otherwise
-be limited by the DNS TTL on the TLSA records). However,
-this is likely to only be usable with DANE-TA. NOTE: the
-default of requesting OCSP for all hosts is modified iff
-DANE is in use, to:
-
- hosts_request_ocsp = ${if or { {= {0}{$tls_out_tlsa_usage}} \
- {= {4}{$tls_out_tlsa_usage}} } \
- {*}{}}
-
-The (new) variable $tls_out_tlsa_usage is a bitfield with
-numbered bits set for TLSA record usage codes.
-The zero above means DANE was not in use,
-the four means that only DANE-TA usage TLSA records were
-found. If the definition of hosts_request_ocsp includes the
-string "tls_out_tlsa_usage", they are re-expanded in time to
-control the OCSP request.
-
-This modification of hosts_request_ocsp is only done if
-it has the default value of "*". Admins who change it, and
-those who use hosts_require_ocsp, should consider the interaction
-with DANE in their OCSP settings.
-
-
-For client-side DANE there are two new smtp transport options,
-hosts_try_dane and hosts_require_dane.
-[ should they be domain-based rather than host-based? ]
-
-Hosts_require_dane will result in failure if the target host
-is not DNSSEC-secured.
-
-DANE will only be usable if the target host has DNSSEC-secured
-MX, A and TLSA records.
-
-A TLSA lookup will be done if either of the above options match
-and the host-lookup succeeded using dnssec.
-If a TLSA lookup is done and succeeds, a DANE-verified TLS connection
-will be required for the host. If it does not, the host will not
-be used; there is no fallback to non-DANE or non-TLS.
-
-If DANE is requested and useable (see above) the following transport
-options are ignored:
- hosts_require_tls
- tls_verify_hosts
- tls_try_verify_hosts
- tls_verify_certificates
- tls_crl
- tls_verify_cert_hostnames
-
-If DANE is not usable, whether requested or not, and CA-anchored
-verification evaluation is wanted, the above variables should be set
-appropriately.
-
-Currently dnssec_request_domains must be active (need to think about that)
-and dnssec_require_domains is ignored.
-
-If verification was successful using DANE then the "CV" item
-in the delivery log line will show as "CV=dane".
-
-There is a new variable $tls_out_dane which will have "yes" if
-verification succeeded using DANE and "no" otherwise (only useful
-in combination with EXPERIMENTAL_EVENT), and a new variable
-$tls_out_tlsa_usage (detailed above).
-
-Under GnuTLS, DANE is only supported from versin 3.0.0 onwards
-
-
-
DSN extra information
---------------------
If compiled with EXPERIMENTAL_DSN_INFO extra information will be added
-1, /* tls_active */
0, /* bits */
FALSE, /* tls_certificate_verified */
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
FALSE, /* dane_verified */
0, /* tlsa_usage */
#endif
# PCRE_LIBS=-lpcre
+#------------------------------------------------------------------------------
+# Uncomment the following line to add DANE support
+# Note: Enabling this unconditionally overrides DISABLE_DNSSEC
+# For DANE under GnuTLS we need an additional library. See TLS_LIBS below.
+# SUPPORT_DANE=yes
+
#------------------------------------------------------------------------------
# Additional libraries and include directories may be required for some
# lookup styles (e.g. LDAP, MYSQL or PGSQL). LOOKUP_LIBS is included only on
# By default, Exim has support for checking the AD bit in a DNS response, to
# determine if DNSSEC validation was successful. If your system libraries
# do not support that bit, then set DISABLE_DNSSEC to "yes"
-# Note: Enabling EXPERIMENTAL_DANE unconditionally overrides this setting.
+# Note: Enabling SUPPORT_DANE unconditionally overrides this setting.
# DISABLE_DNSSEC=yes
# CFLAGS += -I/opt/brightmail/bsdk-6.0/include
# LDFLAGS += -lxml2_single -lbmiclient_single -L/opt/brightmail/bsdk-6.0/lib
-# Uncomment the following line to add DANE support
-# Note: Enabling this unconditionally overrides DISABLE_DNSSEC
-# For DANE under GnuTLS we need an additional library. See TLS_LIBS below.
-# EXPERIMENTAL_DANE=yes
-
# Uncomment the following to include extra information in fail DSN message (bounces)
# EXPERIMENTAL_DSN_INFO=yes
#define STRING_SPRINTF_BUFFER_SIZE (8192 * 4)
#define SUPPORT_CRYPTEQ
+#define SUPPORT_DANE
#define SUPPORT_I18N
#define SUPPORT_I18N_2008
#define SUPPORT_MAILDIR
/* EXPERIMENTAL features */
#define EXPERIMENTAL_BRIGHTMAIL
-#define EXPERIMENTAL_DANE
#define EXPERIMENTAL_DCC
#define EXPERIMENTAL_DSN_INFO
#define EXPERIMENTAL_DMARC
in a dummy argument to stop even pickier compilers complaining about infinite
loops. */
-#ifndef EXPERIMENTAL_DANE
+#ifndef SUPPORT_DANE
static void dummy(int x) { dummy(x-1); }
#else
# endif
-#endif /* EXPERIMENTAL_DANE */
+#endif /* SUPPORT_DANE */
/* End of dane.c */
s = string_append(s, 2, US" CV=",
testflag(addr, af_cert_verified)
?
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
testflag(addr, af_dane_verified)
? "dane"
:
tls_out.cipher = addr->cipher;
tls_out.peerdn = addr->peerdn;
tls_out.ocsp = addr->ocsp;
-# ifdef EXPERIMENTAL_DANE
+# ifdef SUPPORT_DANE
tls_out.dane_verified = testflag(addr, af_dane_verified);
# endif
#endif
tls_out.cipher = NULL;
tls_out.peerdn = NULL;
tls_out.ocsp = OCSP_NOT_REQ;
-# ifdef EXPERIMENTAL_DANE
+# ifdef SUPPORT_DANE
tls_out.dane_verified = FALSE;
# endif
#endif
/* The certificate verification status goes into the flags */
if (tls_out.certificate_verified) setflag(addr, af_cert_verified);
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
if (tls_out.dane_verified) setflag(addr, af_dane_verified);
#endif
#ifdef WITH_CONTENT_SCAN
fprintf(f, " Content_Scanning");
#endif
+#ifdef SUPPORT_DANE
+ fprintf(f, " DANE");
+#endif
#ifndef DISABLE_DKIM
fprintf(f, " DKIM");
#endif
#ifdef EXPERIMENTAL_BRIGHTMAIL
fprintf(f, " Experimental_Brightmail");
#endif
-#ifdef EXPERIMENTAL_DANE
- fprintf(f, " Experimental_DANE");
-#endif
#ifdef EXPERIMENTAL_DCC
fprintf(f, " Experimental_DCC");
#endif
#endif
/* DANE w/o DNSSEC is useless */
-#if defined(EXPERIMENTAL_DANE) && defined(DISABLE_DNSSEC)
+#if defined(SUPPORT_DANE) && defined(DISABLE_DNSSEC)
# undef DISABLE_DNSSEC
#endif
{ "tls_out_bits", vtype_int, &tls_out.bits },
{ "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified },
{ "tls_out_cipher", vtype_stringptr, &tls_out.cipher },
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
{ "tls_out_dane", vtype_bool, &tls_out.dane_verified },
#endif
{ "tls_out_ocsp", vtype_int, &tls_out.ocsp },
#if defined(SUPPORT_TLS)
{ "tls_out_sni", vtype_stringptr, &tls_out.sni },
#endif
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
{ "tls_out_tlsa_usage", vtype_int, &tls_out.tlsa_usage },
#endif
extern int tls_client_start(int, host_item *, address_item *,
transport_instance *,
-# ifdef EXPERIMENTAL_DANE
+# ifdef SUPPORT_DANE
dns_answer *,
# endif
uschar **);
extern uschar * tls_field_from_dn(uschar *, const uschar *);
extern BOOL tls_is_name_for_cert(const uschar *, void *);
-# ifdef EXPERIMENTAL_DANE
+# ifdef SUPPORT_DANE
extern int tlsa_lookup(const host_item *, dns_answer *, BOOL);
# endif
.active = -1,
.bits = 0,
.certificate_verified = FALSE,
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
.dane_verified = FALSE,
.tlsa_usage = 0,
#endif
.active = -1,
.bits = 0,
.certificate_verified = FALSE,
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
.dane_verified = FALSE,
.tlsa_usage = 0,
#endif
uschar *dns_again_means_nonexist = NULL;
int dns_csa_search_limit = 5;
BOOL dns_csa_use_reverse = TRUE;
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
int dns_dane_ok = -1;
#endif
uschar *dns_ipv4_lookup = NULL;
int active; /* fd/socket when in a TLS session */
int bits; /* bits used in TLS session */
BOOL certificate_verified; /* Client certificate verified */
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
BOOL dane_verified; /* ... via DANE */
int tlsa_usage; /* TLSA record(s) usage */
#endif
extern int dns_csa_search_limit; /* How deep to search for CSA SRV records */
extern BOOL dns_csa_use_reverse; /* Check CSA in reverse DNS? (non-standard) */
extern uschar *dns_ipv4_lookup; /* For these domains, don't look for AAAA (or A6) */
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
extern int dns_dane_ok; /* Ok to use DANE when checking TLS authenticity */
#endif
extern int dns_retrans; /* Retransmission time setting */
#ifdef EXPERIMENTAL_BRIGHTMAIL
builtin_macro_create(US"_HAVE_BRIGHTMAIL");
#endif
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
builtin_macro_create(US"_HAVE_DANE");
#endif
#ifdef EXPERIMENTAL_DCC
#ifdef SUPPORT_TLS
tls_in.certificate_verified = FALSE;
-# ifdef EXPERIMENTAL_DANE
+# ifdef SUPPORT_DANE
tls_in.dane_verified = FALSE;
# endif
tls_in.cipher = NULL;
#endif
BOOL af_chunking_used:1; /* delivery used SMTP CHUNKING */
BOOL af_force_command:1; /* force_command in pipe transport */
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
BOOL af_dane_verified:1; /* TLS cert verify done with DANE */
#endif
#ifdef SUPPORT_I18N
#if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
# define SUPPORT_SRV_OCSP_STACK
#endif
-#if GNUTLS_VERSION_NUMBER >= 0x030000 && defined(EXPERIMENTAL_DANE)
-# define SUPPORT_DANE
-# define DANESSL_USAGE_DANE_TA 2
-# define DANESSL_USAGE_DANE_EE 3
-#endif
-#if GNUTLS_VERSION_NUMBER < 0x999999 && defined(EXPERIMENTAL_DANE)
-# define GNUTLS_BROKEN_DANE_VALIDATION
+
+#ifdef SUPPORT_DANE
+# if GNUTLS_VERSION_NUMBER >= 0x030000
+# define DANESSL_USAGE_DANE_TA 2
+# define DANESSL_USAGE_DANE_EE 3
+# else
+# error GnuTLS version too early for DANE
+# endif
+# if GNUTLS_VERSION_NUMBER < 0x999999
+# define GNUTLS_BROKEN_DANE_VALIDATION
+# endif
#endif
#ifndef DISABLE_OCSP
tls_client_start(int fd, host_item *host,
address_item *addr ARG_UNUSED,
transport_instance * tb,
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
dns_answer * tlsa_dnsa,
#endif
uschar ** errstr)
#ifndef DISABLE_OCSP
# include <openssl/ocsp.h>
#endif
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
# include "danessl.h"
#endif
}
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
/* This gets called *by* the dane library verify callback, which interposes
itself.
return preverify_ok;
}
-#endif /*EXPERIMENTAL_DANE*/
+#endif /*SUPPORT_DANE*/
/*************************************************
optional, set up appropriately. */
tls_in.certificate_verified = FALSE;
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
tls_in.dane_verified = FALSE;
#endif
server_verify_callback_called = FALSE;
}
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
static int
dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
{
log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
return DEFER;
}
-#endif /*EXPERIMENTAL_DANE*/
+#endif /*SUPPORT_DANE*/
int
tls_client_start(int fd, host_item *host, address_item *addr,
transport_instance * tb,
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
dns_answer * tlsa_dnsa,
#endif
uschar ** errstr)
BOOL require_ocsp = FALSE;
#endif
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
tls_out.tlsa_usage = 0;
#endif
#ifndef DISABLE_OCSP
{
-# ifdef EXPERIMENTAL_DANE
+# ifdef SUPPORT_DANE
if ( tlsa_dnsa
&& ob->hosts_request_ocsp[0] == '*'
&& ob->hosts_request_ocsp[1] == '\0'
verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
request_ocsp = TRUE;
else
-# ifdef EXPERIMENTAL_DANE
+# ifdef SUPPORT_DANE
if (!request_ocsp)
# endif
request_ocsp =
return tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
}
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
if (tlsa_dnsa)
{
SSL_CTX_set_verify(client_ctx,
}
}
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
if (tlsa_dnsa)
if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa, errstr)) != OK)
return rc;
#ifndef DISABLE_OCSP
/* Request certificate status at connection-time. If the server
does OCSP stapling we will get the callback (set in tls_init()) */
-# ifdef EXPERIMENTAL_DANE
+# ifdef SUPPORT_DANE
if (request_ocsp)
{
const uschar * s;
rc = SSL_connect(client_ssl);
alarm(0);
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
if (tlsa_dnsa)
DANESSL_cleanup(client_ssl);
#endif
{ "hosts_require_auth", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_require_auth) },
#ifdef SUPPORT_TLS
-# ifdef EXPERIMENTAL_DANE
+# ifdef SUPPORT_DANE
{ "hosts_require_dane", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_require_dane) },
# endif
(void *)offsetof(smtp_transport_options_block, hosts_try_auth) },
{ "hosts_try_chunking", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_try_chunking) },
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
+#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
{ "hosts_try_dane", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_try_dane) },
#endif
.hosts_try_auth = NULL,
.hosts_require_auth = NULL,
.hosts_try_chunking = US"*",
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
.hosts_try_dane = NULL,
.hosts_require_dane = NULL,
#endif
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
/* Lookup TLSA record for host/port.
Return: OK success with dnssec; DANE mode
DEFER Do not use this host now, may retry later
int
smtp_setup_conn(smtp_context * sx, BOOL suppress_tls)
{
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
+#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
dns_answer tlsa_dnsa;
#endif
BOOL pass_message = FALSE;
sx->utf8_needed = FALSE;
#endif
sx->dsn_all_lasthop = TRUE;
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
+#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
sx->dane = FALSE;
sx->dane_required = verify_check_given_host(&sx->ob->hosts_require_dane, sx->host) == OK;
#endif
smtp_port_for_connect(sx->host, sx->port);
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
+#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
/* Do TLSA lookup for DANE */
{
tls_out.dane_verified = FALSE;
address_item * addr;
uschar * errstr;
int rc = tls_client_start(sx->inblock.sock, sx->host, sx->addrlist, sx->tblock,
-# ifdef EXPERIMENTAL_DANE
+# ifdef SUPPORT_DANE
sx->dane ? &tlsa_dnsa : NULL,
# endif
&errstr);
if (rc != OK)
{
-# ifdef EXPERIMENTAL_DANE
+# ifdef SUPPORT_DANE
if (sx->dane) log_write(0, LOG_MAIN,
"DANE attempt failed; TLS connection to %s [%s]: %s",
sx->host->name, sx->host->address, errstr);
have one. */
else if ( sx->smtps
-# ifdef EXPERIMENTAL_DANE
+# ifdef SUPPORT_DANE
|| sx->dane
# endif
|| verify_check_given_host(&sx->ob->hosts_require_tls, sx->host) == OK
uschar *hosts_try_auth;
uschar *hosts_require_auth;
uschar *hosts_try_chunking;
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
uschar *hosts_try_dane;
uschar *hosts_require_dane;
#endif
BOOL utf8_needed:1;
#endif
BOOL dsn_all_lasthop:1;
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
+#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
BOOL dane:1;
BOOL dane_required:1;
#endif
-support Experimental_DANE
+support DANE
lookup dnsdb
-support Experimental_DANE
+support DANE
support GnuTLS
running IPv4
-support Experimental_DANE
+support DANE
support OpenSSL
running IPv4
-support Experimental_DANE
+support DANE
support Event
support OpenSSL
running IPv4
git://git.exim.org / exim.git / commitdiff