Re: [dane] Fwd: New Version Notification for draft-york-dane-deployment-observations-00.txt

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 10 November 2014 22:06 UTC

Date: Mon, 10 Nov 2014 22:06:28 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141110220628.GK161@mournblade.imrryr.org>
References: <20141027225310.29285.24437.idtracker@ietfa.amsl.com> <F0C0FC32-FAA7-4D07-A230-59A538754BCD@isoc.org> <20141027233223.GL19158@mournblade.imrryr.org> <20141110164617.GZ161@mournblade.imrryr.org> <20141110213931.GJ161@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20141110213931.GJ161@mournblade.imrryr.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/pw5cat66T98nRh-vHrkfSDI5GrM
Subject: Re: [dane] Fwd: New Version Notification for draft-york-dane-deployment-observations-00.txt
Precedence: list
Reply-To: dane@ietf.org

On Mon, Nov 10, 2014 at 09:39:31PM +0000, Viktor Dukhovni wrote:

> > ;; Passed(depth 3, hostname jhcloos.com): jhcloos.com. IN TLSA 1 1 1 597CC279D90F0FB950B540921C4A76916590A2B7DEDDDDBC353C65337160E1A8
> > ;; Passed(depth 0): jhcloos.com. IN TLSA 3 1 1 597CC279D90F0FB950B540921C4A76916590A2B7DEDDDDBC353C65337160E1A8
> > ;; Passed(depth 4, hostname *.kumari.net): www.kumari.net. IN TLSA 1 0 1 8D930A464843E08660E3FD1DDCE8ED4269CC0CD9CD53A8A306BCE8ABCF47AEF5
> > ;; Passed(depth 3, hostname dougbarton.us): dougbarton.us. IN TLSA 1 0 2 F994F42839BE5C864F143A037D4E96BB0F559AD7284C57EA09BF6A69D37C1D8359E57C604BB42A9A56586DB21E700404C38B8152365C03543BBF210A4FE30E08
> 
> The jhcloos site is however, in both camps.  Above, my code is
> misreporting the match depth for usage PKIX-EE(1) reporting the
> depth of the cert chain, not the match, I'll fix that shortly.

If anyone is already using the ssl_dane code, the fix for the above
is below.  I'll push it to github later this evening.

diff --git a/danessl.c b/danessl.c
index 5d1ead0..f7e5993 100644
--- a/danessl.c
+++ b/danessl.c
@@ -871,8 +871,8 @@ static int verify_chain(X509_STORE_CTX *ctx)
 	 * Check for an EE match, then a CA match at depths > 0, and
 	 * finally, if the EE cert is self-issued, for a depth 0 CA match.
 	 */
-	if (leaf_rrs)
-	    matched = match(leaf_rrs, xn, 0);
+	if (leaf_rrs && (matched = match(leaf_rrs, xn, 0)) > 0)
+	    n = 0;
 	while (!matched && issuer_rrs && --n >= 0) {
 	    xn = sk_X509_value(ctx->chain, n);
 
-- 
	Viktor.

[dane] Fwd: New Version Notification for draft-yo… Dan York
Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
Re: [dane] Fwd: New Version Notification for draf… Michael Ströder
Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
Re: [dane] Fwd: New Version Notification for draf… Dan York
Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
Re: [dane] Fwd: New Version Notification for draf… Shumon Huque
Re: [dane] Fwd: New Version Notification for draf… Dan York
Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
Re: [dane] Fwd: New Version Notification for draf… James Cloos
Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
Re: [dane] Fwd: New Version Notification for draf… Paul Wouters
Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
[dane] Please help to remediate broken DNSSEC hos… Viktor Dukhovni
Re: [dane] Please help to remediate broken DNSSEC… Viktor Dukhovni
Re: [dane] Please help to remediate broken DNSSEC… Marco Davids (SIDN)
Re: [dane] Please help to remediate broken DNSSEC… Viktor Dukhovni
Re: [dane] Please help to remediate broken DNSSEC… Mark Andrews
Re: [dane] Please help to remediate broken DNSSEC… Viktor Dukhovni