Re: TLS on disconnected/intermittently connected networks

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 04 March 2021 19:46 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72EF03A1536 for <ietf@ietfa.amsl.com>; Thu, 4 Mar 2021 11:46:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cvyTVI8n1rgE for <ietf@ietfa.amsl.com>; Thu, 4 Mar 2021 11:46:18 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C63723A14E6 for <ietf@ietf.org>; Thu, 4 Mar 2021 11:46:18 -0800 (PST)
Received: from [192.168.1.177] (unknown [192.168.1.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 0DB1AC694C for <ietf@ietf.org>; Thu, 4 Mar 2021 14:46:17 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Subject: Re: TLS on disconnected/intermittently connected networks
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <3f4db10c-dd92-354b-4fc9-6f14f4383454@network-heretics.com>
Date: Thu, 4 Mar 2021 17:46:16 -0200
Content-Transfer-Encoding: quoted-printable
Reply-To: ietf@ietf.org
Message-Id: <809967EB-F315-48D9-A301-73DFA4212FDE@dukhovni.org>
References: <20210302010731.GL30153@localhost> <0632b948-9ed1-f2bd-96da-9922ebb2aa60@mtcc.com> <YECpybvczdbKHvHx@puck.nether.net> <CAMm+LwiiySi5O1_WDc4-F9x1XfMFFvE-rEbc4uw+31DHJNEHEA@mail.gmail.com> <3f4db10c-dd92-354b-4fc9-6f14f4383454@network-heretics.com>
To: ietf@ietf.org
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/MvzuK-hGJQLOS8t5bXiY0AkBnOM>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2021 19:46:20 -0000

> On Mar 4, 2021, at 4:44 PM, Keith Moore <moore@network-heretics.com> wrote:
> 
> There are lots of applications (including but not limited to ordinary web browsers and servers) running on disconnected and intermittently-connected networks out there that need encryption, and which can't practically use TLS, because they don't use DNS or even host files.   But it's not a limitation of the TLS protocol so much as of the APIs and the code that does certificate verification.

TLS without DNS name checks and/or without any hierarchical PKI
is directly supported by OpenSSL.

For example, Postfix (via OpenSSL) supports "fingerprint"
verification of the peer certificate, where a digest of the
server's public key or certificate is matched against the
expected value.  The peer certificate is matched directly,
without any reliance on DNS or trusted CAs.

Postfix supports isolated deployments without DNS (don't
use either setting on MTAs delivering email to the public
Internet):

    # No MX lookups for the nexthop domain
    disable_dns_lookups = yes
   
    # No DNS when mapping hosts to IP addresses
    smtp_host_lookup = native

You can still use TLS, in any of the supported verification
modes:

    http://www.postfix.org/TLS_README.html#client_tls_levels

-- 
	Viktor.