Re: wget2 | DANE support (#627)

wget-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: wget2 | DANE support (#627)

From:	Viktor Dukhovni (@dviktor)
Subject:	Re: wget2 \| DANE support (#627)
Date:	Mon, 24 Apr 2023 21:13:04 +0000



Viktor Dukhovni commented on a discussion: 
https://gitlab.com/gnuwget/wget2/-/issues/627#note_1365463007

> I am not so much into OpenSSL (maybe @juaristi likes to pick this up)

As the author of the DANE support in OpenSSL I should perhaps mention a few 
salient considerations:

* Support for DANE in OpenSSL is an X.509-layer feature.  It makes it possible 
to validate a peer's certificate chain **given** the relevant TLSA records.
* Obtaining relevant TLSA records (be they from DNS, validated via DNSSEC, or 
from some other source/oracle) is the application's responsibility. OpenSSL 
**does not** do the TLSA lookups.
* This makes it possible to use DANE TLSA records in a variety of contexts that 
are not backed by DNSSEC, e.g. EE or CA key pinning, per-peer trust anchors 
outside the normal CA bundle, ...

Therefore, an application that supports (DNS-based) DANE over OpenSSL would 
typically make use of an additional library to perform DNSSEC-validated TLSA 
record lookups and take appropriate measures if the lookups fail.  The "ldns" 
library from NLNetLabs IIRC supports not only DNSSEC-validation of TLSA 
lookups, but then also making TLS connections to the target via the DANE 
support in OpenSSL.  Or the application can just delegate the DNS lookups, or 
even use the C-library stub resolver and trust the AD bit (when the configured 
resolver is local, a detail which isn't always exposed by the legacy libresolv).

OpenSSL support for DANE-based certificate validation is feature complete 
(supports all the bells/whistles of RFC6698 and RFC7671), but focused on just 
that task.  Doing the DNS lookups is deliberately out of scope.  OpenSSL 3.2 
(still in development) also supports DANE for raw public keys (RFC7250), doing 
away entirely with certificates, if the application client and server support 
that option.

The Postfix MTA supports both opportunistic and mandatory DANE validation with 
OpenSSL as the underlying engine (as of Postfix 3.6), and is expected to add 
RPK support in the 3.9 release (~Q1 2024), if linked with OpenSSL 3.2 or later 
(release date TBD).

-- 
Reply to this email directly or view it on GitLab: 
https://gitlab.com/gnuwget/wget2/-/issues/627#note_1365463007
You're receiving this email because of your account on gitlab.com.

[Prev in Thread]

Current Thread

[Next in Thread]

wget2 | DANE support (#627), John Scott (@j0hns), 2023/04/10
- Re: wget2 | DANE support (#627), @rockdaboot, 2023/04/10
  - Re: wget2 | DANE support (#627), John Scott (@j0hns), 2023/04/10
    - Re: wget2 | DANE support (#627), John Scott (@j0hns), 2023/04/10
    - Re: wget2 | DANE support (#627), @rockdaboot, 2023/04/10
    - Re: wget2 | DANE support (#627), Viktor Dukhovni (@dviktor) <=
- Re: wget2 | DANE support (#627), @rockdaboot, 2023/04/15
- Re: wget2 | DANE support (#627), @rockdaboot, 2023/04/23
- Re: wget2 | DANE support (#627), @rockdaboot, 2023/04/23

Prev by Date: Re: wget2 | New option --dane (!522)
Next by Date: Re: wget2 | any plans for http/3 ? (#625)
Previous by thread: Re: wget2 | DANE support (#627)
Next by thread: Re: wget2 | DANE support (#627)
Index(es):
- Date
- Thread