Mailing List Archive

DANE support in Exim with OpenSSL
openSSL 1.0.2 has passed EOL, and 1.1.1 is the primary LTS (indeed
presently only one still supported) OpenSSL release, and OpenSSL 3.0
soon to enter beta.

With that in mind, in Postfix I decided to replace the legacy DANE code
(essentially the same as, and the original version of what is presently
used in Exim) with new DANE code that delegates all the X.509 validation
logic to OpenSSL, and just marshals the TLSA records into OpenSSL for
validation.

I would like recommend that when convenient, Exim should probably do the
same. The documentation for the OpenSSL DANE API is at:

https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_dane_enable.html

If you have questions about the OpenSSL DANE API, feel free to drop me
a note, or ask on this list. This does not subsume the DNS logic, so
Exim would still need to perform all the relevant lookups and decide
when enable DANE etc., but all the chain verification logic would now
be via OpenSSL, rather than my legacy danssl library (still found at:
https://github.com/vdukhovni/ssl_dane).

The new Postfix DANE code will appear in an upcoming Postfix 3.6
snapshot, for eventual inclusion in the 3.6 stable release in early
2021.

[. Because Postfix uses DANE also for its "fingerprint" security policy,
and for per-destination trust-anchors mapping these to synthetic DANE-EE
and DANE-TA records as appropriate, the code in Postfix is probably not
the best reference implementation to look at, many other things going
on besides just DANE. The OpenSSL docs should be sufficient, but if I
not I'll be happy to fill any gaps that need attention. ]

--
Viktor.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Re: DANE support in Exim with OpenSSL [ In reply to ]
On 2020-07-06 at 01:07 -0400, Viktor Dukhovni via Exim-dev wrote:
> I would like recommend that when convenient, Exim should probably do the
> same. The documentation for the OpenSSL DANE API is at:

LibreSSL.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Re: DANE support in Exim with OpenSSL [ In reply to ]
On Wed, Jul 08, 2020 at 06:54:14PM -0400, Phil Pennock wrote:

> On 2020-07-06 at 01:07 -0400, Viktor Dukhovni via Exim-dev wrote:
> > I would like recommend that when convenient, Exim should probably do the
> > same. The documentation for the OpenSSL DANE API is at:
>
> LibreSSL.

I take this rather terse reply to mean that the OpenSSL code in Exim is
intended to be agnostic between OpenSSL and LibreSSL. If that's the
case, then indeed you're stuck until that changes, or LibreSSL adds
API-compatible DANE support (I would guess unlikely to happen soon).

--
Viktor.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##