--- /dev/null
+
+draft 11
+
+3.1.2 - Para 4 (records with Sel Full(0) are discouraged)
+==> There's a matching type Full but not such a Selector type.
+ Should this be "Cert(0), or Matching Type Full(0)" ?
+ Suspect the latter.
+
+3.1.2 Needs a para added regarding certificate date verification,
+ to contrast with the requirement to NOT check for
+ DANE-EE defined in 3.1.1
DANE requires a server operator to do three things:
1) run DNSSEC. This provides assurance to clients
that DNS lookups they do for the server have not
-been tampered with.
+been tampered with. The domain MX record applying
+to this server, its A record, its TLSA record and
+any associated CNAME records must all be covered by
+DNSSEC.
2) add TLSA DNS records. These say what the server
certificate for a TLS connection should be.
3) offer a server certificate, or certificate chain,
all of which point to a single TLSA record.
The TLSA record should have a Selector field of SPKI(1)
-and a Matching Type fiels of SHA2-512(2).
+and a Matching Type field of SHA2-512(2).
+
+At the time of writing, https://www.huque.com/bin/gen_tlsa
+is useful for quickly generating TLSA records; and commands like
+
+ openssl x509 -in -pubkey -noout <certificate.pem \
+ | openssl rsa -outform der -pubin 2>/dev/null \
+ | openssl sha512 \
+ | awk '{print $2}'
+
+are workable for 4th-field hashes.
For use with the DANE_TA model, server certificates
must have a correct name (SubjectName or SubjectAltName).
int matched = 0;
int chain_length = sk_X509_num(ctx->chain);
-DEBUG(D_tls) debug_printf("Dane library verify_chain fn called\n");
+DEBUG(D_tls) debug_printf("Dane verify_chain\n");
issuer_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_ISSUER];
leaf_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_LEAF];
int matched;
X509 *cert = ctx->cert; /* XXX: accessor? */
-DEBUG(D_tls) debug_printf("Dane library verify_cert fn called\n");
+DEBUG(D_tls) debug_printf("Dane verify_cert\n");
if(ssl_idx < 0)
ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
{
default: /* log bad */ return FAIL;
case 0: mdname = NULL; break;
- case 1: mdname = "SHA2-256"; break;
- case 2: mdname = "SHA2-512"; break;
+ case 1: mdname = "sha256"; break;
+ case 2: mdname = "sha512"; break;
}
switch (DANESSL_add_tlsa(client_ssl,
# Set certificate only if server
tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
-tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
-
-#tls_verify_hosts = *
-#tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail}
+#tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
# ----- Routers -----
client:
driver = dnslookup
condition = ${if eq {SERVER}{server}{no}{yes}}
-# retry_use_local_part
dnssec_request_domains = *
self = send
transport = send_to_server
send_to_server:
driver = smtp
allow_localhost
-# hosts = 127.0.0.1
port = PORT_D
-# tls_certificate = DIR/aux-fixed/cert2
-# tls_privatekey = DIR/aux-fixed/cert2
-# tls_verify_certificates = DIR/aux-fixed/cert2
# hosts_try_dane = *
hosts_require_dane = *
DNSSEC eximtesthost A HOSTIPV4
alias-eximtesthost CNAME eximtesthost.test.ex.
-DNSSEC _1225._tcp.eximtesthost TLSA 3 1 2 f000baaa
+DNSSEC _1225._tcp.eximtesthost TLSA 3 1 2 3d5eb81b1dfc3f93c1fa8819e3fb3fdb41bb590441d5f3811db17772f4bc6de29bdd7c4f4b723750dda871b99379192b3f979f03db1252c4f08b03ef7176528d
; A bad CNAME
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to eximtesthost.test.ex [ip4.ip4.ip4.ip4] (tlsa load): error:8006C067:DANE library:func(108):Bad TLSA record digest
-1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@mxplain.test.ex R=client T=send_to_server defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@mxplain.test.ex R=client T=send_to_server H=eximtesthost.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaX-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => :blackhole: <CALLER@mxplain.test.ex> R=server
-1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@mxplain.test.ex> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
#
exim -DSERVER=server -bd -oX PORT_D
****
+# TLSA (3 1 2)
exim CALLER@mxplain.test.ex
Testing
****
-exim -d+all -qf
+exim -qf
****
killdaemon
exim -DSERVER=server -DNOTDAEMON -qf