> On Mar 4, 2021, at 4:44 PM, Keith Moore <moore@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> There are lots of applications (including but not limited to ordinary web browsers and servers) running on disconnected and intermittently-connected networks out there that need encryption, and which can't practically use TLS, because they don't use DNS or even host files. But it's not a limitation of the TLS protocol so much as of the APIs and the code that does certificate verification.
TLS without DNS name checks and/or without any hierarchical PKI
is directly supported by OpenSSL.
For example, Postfix (via OpenSSL) supports "fingerprint"
verification of the peer certificate, where a digest of the
server's public key or certificate is matched against the
expected value. The peer certificate is matched directly,
without any reliance on DNS or trusted CAs.
Postfix supports isolated deployments without DNS (don't
use either setting on MTAs delivering email to the public
Internet):
# No MX lookups for the nexthop domain
disable_dns_lookups = yes
# No DNS when mapping hosts to IP addresses
smtp_host_lookup = native
You can still use TLS, in any of the supported verification
modes:
http://www.postfix.org/TLS_README.html#client_tls_levels
--
Viktor.
