FS#42148 - [gnutls] Enable DANE support
Attached to Project:
Arch Linux
Opened by Nicolas I. (IooNag) - Saturday, 27 September 2014, 21:38 GMT
Last edited by Andreas Radke (AndyRTR) - Saturday, 18 April 2015, 07:48 GMT
Opened by Nicolas I. (IooNag) - Saturday, 27 September 2014, 21:38 GMT
Last edited by Andreas Radke (AndyRTR) - Saturday, 18 April 2015, 07:48 GMT
|
Details
Description:
Currently gnutls is compiled without DANE support. As a consequence, "gnutls-cli --dane --port 443 bad-hash.dane.verisignlabs.com" does not complain about DANE error. According to its configure script [1], gnutls enable DANE when libunbound is found. Rebuilding the package from PKGBUILD once "unbound" is installed is enough to add DANE support and the previous command fails as expected, with message "DANE: Verification failed. The certificate differs.". Could you please add unbound as a dependency of gnutls to enable DANE support? Moreover, as Arch uses /etc/trusted-key.key instead of /etc/unbound/root.key for DNSSEC validations, it is necessary to add "--with-unbound-root-key-file=/etc/trusted-key.key" to the ./configure command line in gnutls PKGBUILD. Additional info: * package version(s): gnutls 3.3.8-2 for x86_64 [1] https://gitorious.org/gnutls/gnutls/source/d0716389ed9590572fd5c77cb14a8c06ea9d398d:configure.ac#L358 |
This task depends upon
Closed by Andreas Radke (AndyRTR)
Saturday, 18 April 2015, 07:48 GMT
Reason for closing: Upstream
Additional comments about closing: libdane support has been removed in gnutls 3.4.0. an alternative implementation is not yet available.
Saturday, 18 April 2015, 07:48 GMT
Reason for closing: Upstream
Additional comments about closing: libdane support has been removed in gnutls 3.4.0. an alternative implementation is not yet available.
I'm not sure if it's widely used.
If your question was more about "forcing users to use unbound service", that's not the case as unbound.service unit is not enabled by default.
[1] https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/dbus&id=3b2f7dc12654818e457426dad33f1d10c57feeea
[2] https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/util-linux&id=93468782a52380dbe27a062e56ef62b565d90a25
There is a chicken-and-egg problem here. It may be useful to put more context around this bug... I'm sysadmin of an organization which has DNS servers, websites, etc. A few weeks ago we successfully activated DNSSEC in our DNS and now we would like to activate DANE. To do this, two things are needed: add TLSA records to the DNS and create an automatic check (performed by Nagios or Icinga) to check the config. The check is easy to build when a command exists which checks whether the DANE information is valid or not. The only command I've found so far which does this is "gnutls-cli --dane", combined with "drill -TD -k /etc/trusted-key.key" to verify the DNSSEC trust chain. This commands works fine on Gentoo but not on Arch Linux, because gnutls is built without DANE support.
IMHO without the proper tooling for monitoring, it is not surprising that DANE is not much used. I opened this bug in hope to improve Arch tools in this regard.
Nikos seems to be working on a new library. Maybe we can hold back that feature until 3.4 release?