[gnutls-devel] GnuTLS | Unclear extent of functionality of danetool --check (#558)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sat Sep 8 19:22:34 CEST 2018

New Issue was created.

Issue 558: https://gitlab.com/gnutls/gnutls/issues/558
Author:    Andreas Metzler

## Description of problem:
p11tool(1) says
   Check a host's DANE TLSA entry.

   Obtains the DANE TLSA entry from the given hostname and prints information. Note
   that the actual certificate of the host can be provided using --load-certificate,
   otherwise danetool will connect to the server to obtain it. The exit code on verification
   success will be zero.
I understood this to mean that p11tool actually does trust verification. However afaict this is somewhere in between a syntax check and a trust path validation. I *think* p11tool uses the following steps:
1. Pull the TLSA record
2. Connect to the host and get receive the provided certificate chain.
3. Verify the server certificate using the provided certificate chain and TLSA record, i.e.
   - with certificate usage 0 or 2 check for a signing certificate in the chain
   - with certificate usage 1 or 3 check that the server cert matches the fingerprint in the TLSA record.
   - The local trust store is never consulted.

I do understand that it might make sense to not consult the local trust-store since _gnutls-cli --dane_ already exists.

## Version of gnutls used:
gnutls GIT d4624761e3893314d5504a6ecbc9da6ff758bc41 (15 Aug 2018) - post 3.6.3

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/558
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20180908/1b3fc055/attachment-0001.html>

More information about the Gnutls-devel mailing list