[gnutls-devel] GnuTLS | gnutls-cli - incomplete DANE support (#557)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Sun Jul 7 11:13:26 CEST 2024 



Andreas Metzler commented: https://gitlab.com/gnutls/gnutls/-/issues/557#note_1986670629


Picking this up again. I think something's broken here, it might have happened since I submitted this. I just cannot get Certificate usage=2 (DANE-TA Trust anchor assertion) to work at all on 3.8.5:

Running `gnutls-cli -V --no-ca-verification --dane --starttls-proto=smtp lists.gentoo.org` ends with:
```
*** DANE verification error: The requested data are not available.
*** Fatal error: Error in the certificate.
```

Afaict the setup is correct:
```
- Got a certificate list of 3 certificates.
- Certificate[0] info:
[...]
        Issuer: CN=R11,O=Let's Encrypt,C=US
[...]
        Subject: CN=lists.gentoo.org
[...]
- Certificate[1] info:
[...]
        Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
        Validity:
[...]
        Subject: CN=R11,O=Let's Encrypt,C=US
[...]
        Public Key ID:
                sha1:4b7c1c92dee1c036cb2cc3cbfab7b529a8447c3d
                sha256:6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7
[...]
- Certificate[2] info:
[...]
        Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US

[...]
        Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
```
And
```
ametzler at argenau:~$ host -t tlsa _25._tcp.lists.gentoo.org
_25._tcp.lists.gentoo.org is an alias for postfix-tlsa.pigeon.gentoo.org.
postfix-tlsa.pigeon.gentoo.org is an alias for generic-letsencrypt.tlsa.gentoo.org.
[multiple records for generic-letsencrypt.tlsa.gentoo.org]
generic-letsencrypt.tlsa.gentoo.org has TLSA record 2 1 1 6DDAC18698F7F1F7E1C69B9BCE420D974AC6F94CA8B2C761701623F9 9C767DC7
```
i.e. the sha256 hash matches the one of certificate[1]. Whats up with **The requested data are not available.**?

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/557#note_1986670629
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20240707/93d33189/attachment.html>

More information about the Gnutls-devel mailing list