[gnutls-devel] GnuTLS | gnutls-cli - incomplete DANE support (#557)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sat Sep 8 19:04:36 CEST 2018

New Issue was created.

Issue 557: https://gitlab.com/gnutls/gnutls/issues/557
Author:    Andreas Metzler

## Description of problem:

gnutls-cli DANE support is incomplete. Even when certificate usage in the TLSA record specifies "trust anchor assertion" or "domain-issued certificate" the trust check requires a match in the local trust-store.

## Version of gnutls used:
3.6.3 + git d4624761e3893314d5504a6ecbc9da6ff758bc41 (August 15 2018)

Also applies to 3.5.x

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

## How reproducible:

Steps to Reproduce:
1. Make sure that Let's Encrypt CA is not in trust-store
2. gnutls-cli --dane lists.gentoo.org --starttls-proto=smtp < /dev/null

## Actual results:
The connection fails with "The certificate is NOT trusted".

## Expected results:
Successful connection.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/557
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20180908/82842755/attachment.html>

More information about the Gnutls-devel mailing list