[prev in list] [next in list] [prev in thread] [next in thread]
List: gnutls-dev
Subject: Re: [gnutls-devel] [patch] DANE_F_IGNORE_DNSSEC
From: Nikos Mavrogiannopoulos <nmav () gnutls ! org>
Date: 2013-10-23 16:47:49
Message-ID: 5267FDB5.6030400 () gnutls ! org
[Download RAW message or body]
On 10/23/2013 12:09 PM, Christian Grothoff wrote:
> Hi!
>
> With the new dane_raw_tlsa and dane_verify_crt_raw APIs, it is now
> possible to
> validate a certificate chain against DANE/TLSA data that was not fetched by
> libunbound. However, even though DNSSEC might not have been used to
> obtain the
> DANE/TLSA data, GnuTLS currently always attempts to load the DNSSEC root key
> and if that fails the DANE/TLSA validation is not possible --- even though
> DNSSEC itself is not triggered by dane_raw_tlsa/dane_verify_crt_raw.
>
> The attached patch adds an option DANE_F_IGNORE_DNSSEC which can be used to
> disable loading of the DNSSEC root key. Naturally, if the option is not
> explicitly set, everything stays as it was (so the change is
> backwards-compatible).
Applied. Thank you.
_______________________________________________
Gnutls-devel mailing list
Gnutls-devel@lists.gnutls.org
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic