mirror of
https://github.com/mjl-/mox.git
synced 2024-12-25 07:53:47 +03:00
f7666d1582
tls servers send a list of certificates for the connection. the first is the leaf certificate. that's the one for the server itself. that's the one we want to verify. the others are intermediate CA's. and possibly even the root CA certificate that it hopes is trusted at the client (though sending it doesn't make it trusted). with dane-ta, the public key of an intermediate or root CA certificate is listed in the TSLA record. when verifying, we add any intermediate/root CA that matches a dane-ta tlsa record to the trusted root CA certs. we should also have added CA certs that didn't match a TLSA record to the "intermediates" of x509.VerifyOptions. because we didn't, x509.Certificate.Verify couldn't verify the chain from the trusted dane-ta ca cert to the leaf cert. we would only properly verify a dane-ta connection correctly if the dane-ta-trusted ca cert was the one immediately following the leaf cert. not when there were one or more additional intermediate certs. this showed when connecting to mx.runbox.com. problem reported by robbo5000 on matrix, thanks! |
||
---|---|---|
.. | ||
dane.go | ||
dane_test.go | ||
examples_test.go |