On Thu, Sep 3, 2015, at 15:21, Alessandro Ghedini wrote:
> On Mon, Aug 31, 2015 at 10:53:21am +0200, Ondřej Surý wrote:
> > Hi security team and Thomas,
> >
> > I propose following patch for libval14 in stable:
> >
> > Index: validator/libval/val_dane.c
> > ===================================================================
> > --- validator/libval/val_dane.c (revision 8325)
> > +++ validator/libval/val_dane.c (working copy)
> > @@ -766,23 +766,6 @@
> > break;
> >
> > case DANE_USE_TA_ASSERTION: /*2*/ {
> > - SSL_CTX *ctx = SSL_get_SSL_CTX(con);
> > - X509_STORE *store;
> > - *do_pathval = 0;
> > - if (store = X509_STORE_new()) {
> > - X509 *tlsa_cert = NULL;
> > - c = dane_cur->data;
> > - tlsa_cert = d2i_X509(NULL, (const unsigned char
> > **)&c,
> > - dane_cur->datalen);
> > - X509_STORE_add_cert(store, tlsa_cert);
> > - SSL_CTX_set_cert_store(ctx, store);
> > - if (SSL_get_verify_result(con) == X509_V_OK) {
> > - val_log(context, LOG_INFO, "DANE:
> > val_dane_match() success");
> > - rv = VAL_DANE_NOERROR;
> > - goto done;
> > - }
> > - }
> > -
> > val_log(context, LOG_NOTICE,
> > "DANE: val_dane_check() for usage %d failed",
> > dane_cur->usage);
> >
> >
> > It will just make the DANE validation fail when 2 usage scenario is
> > encountered.
>
> I noticed that you applied this patch in unstable closing #797470, but
> then you reopened it. Does that mean that the patch is not enough?
Nope, I think the patch is enough. I reopened, so we don't forgot to fix
this in jessie.
> > Unfortunately the code in 2.1 has diverted too much (API change), so we
> > are not able to use the (possibly fixed) code from there.
> >
> > I will also file a bug for irssi and kamailo to drop the libval usage
> > and remove the dnsval library from the Debian unless I have a strong
> > promise from upstream that they will take care of the library.
>
> It would maybe make sense to drop dnsval from jessie as well (though both
> irssi and kamailio would need to be updated there too). Could you try to
> contact the Release Team and see what they think about this?
I spoke to the upstream and they are still working on the whole
dnssec-tools suite, but I would still rather see irssi and kamailio use
some better library to do the DNSSEC validation.
Cheers,
--
Ondřej Surý <[email protected]>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server