On Wed, Oct 30, 2024 at 01:45:53PM +1100, Viktor Dukhovni wrote:
> > If I start by calling SSL_dane_enable() passing the basename, but then
> > the DNS lookup returns zero records which results in me calling
> > SSL_dane_tlsa_add() zero times, I expect a call to X509_verify_cert()
> > would return a verification mismatch given there is nothing to match.
> >
> > Instead I get a verify ok, which is unexpected.
>
> It means that the chain is valid relative to WebPKI, the call to
> SSL_dane_enable() configured the same name as both the hostname and the
> SNI name, and absent any DANE TLSA records WebPKI is still in effect.
This is consistent with the documentation, which I hope you've had a
chance to read:
https://docs.openssl.org/master/man3/SSL_CTX_dane_enable/#description
...
The caller is expected to check the return value of each
SSL_dane_tlsa_add() call and take appropriate action if none are usable
or an internal error is encountered in processing some records.
If no TLSA records are added successfully, DANE authentication is not
enabled, and authentication will be based on any configured traditional
trust-anchors; authentication success in this case does not mean that
the peer was DANE-authenticated.
--
Viktor.
--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/ZyHCViNsv5LsWobs%40chardros.imrryr.org.
