Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Devel/spki pinset via tlsa checking #371

merged 13 commits into from Feb 14, 2018


Copy link

@wtoorop wtoorop commented Jan 11, 2018

With OpenSSL >= 1.1.0 check SHA256 pins with OpenSSL native DANE functions
With OpenSSL >= 1.0.0 and < 1.1.0 uses Viktor's danessl library
With OpenSSL < 1.0.0 uses old method, but does not allow the exceptions (like self-signed certificates)
So for OpenSSL < 1.0.0 certificate authorities are a requirement, but the connection will fail authentication if the pin doesn't match.

Copy link

@wtoorop Thanks for this. Will review/test tomorrow. As we discussed last week IIRC TLS 1.2 requires OpenSSL 1.0.1, so I'm not sure we need to cater for OpenSSL < 1.0.0 for authentication?

And thanks for extra work in getdns_query - was just about to remove i_am_stubby myself!!

@wtoorop wtoorop merged commit 0eba73a into develop Feb 14, 2018
@wtoorop wtoorop deleted the devel/spki_pinset_via_tlsa_checking branch February 22, 2018 09:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

Successfully merging this pull request may close these issues.

None yet

2 participants