On Thu, Jan 30, 2025 at 06:38:14PM +0000, Andrew C Aitchison via mailop wrote:
>
> On Mon, 18 Nov 2024, Viktor Dukhovni via mailop wrote:
>
> > Exim is after all (IIRC) still using my dated code for DANE cert
> > validation over OpenSSL. Though with OpenSSL 1.0.2 long in the
> > rear-view mirror, this might also be a good time to switch to the native
> > OpenSSL DANE support. If you know anyone who might be interested in
> > doing that, please have them get in touch if they need help.
>
> https://bugs.exim.org/show_bug.cgi?id=3131
DANE support was added in OpenSSL 1.1.0 and has been stable since. Both
OpenSSL 1.1.0 and 1.1.1 (LTS) have been retired. The oldest still
supported version is 3.0. So there should not IMHO be any concerns
about requiring at least 1.1.1 and probably 3.0 in new version of Exim.
The documentation for the native DANE support in OpenSSL is in:
https://docs.openssl.org/3.0/man3/SSL_CTX_dane_enable/
The "EXAMPLES" section has a fairly detailed sketch of how the API might
be used.
In Postfix the code in question can be found at:
https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_client.c#L1076-L1169
https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_client.c#L574-L597
[ Much of that is recently added code to support TLSRPT. ]
--
Viktor.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
