Implement support for DANE using the gnutls-dane library #121

wants to merge 3 commits into


None yet

4 participants

lp0 commented Jul 6, 2014

I've only added this to, so it will require additional changes to work with CMake.

This can be used on Gentoo as-is, or on Debian Jessie/Ubuntu Utopic if gnutls28 is modified to provide gnutls-dane.

lp0 added some commits Jul 6, 2014
@lp0 lp0 core: implement support for DANE
Use gnutls-dane to obtain DANE TLSA records on SSL connections.

Performs a synchronous DNS lookup to get TLSA data between the
normal DNS resolve and the TCP connect.
@lp0 lp0 configure: Add gnutls-dane library fdcd3d9
@lp0 lp0 irc: implement support for DANE
Use gnutls-dane to check DANE TLSA records on SSL connections.

Performs a check of the cached TLSA data when verifying the
@flashcode flashcode added this to the 1.1 milestone Jul 8, 2014
@flashcode flashcode self-assigned this Jul 11, 2014
kyrias commented Sep 18, 2014

Is there anything more than the CMake part of this that's missing?

lp0 commented Oct 5, 2014

No, it's all functional. You'd need to replicate the same version check logic in CMake, some of the older GnuTLS releases have severe flaws in their behaviour.

There should be a copy of weechat__dane_query_to_raw_tlsa() named dane_query_to_raw_tlsa() in a future release of GnuTLS that you could opt to use instead if you increase the minimum version requirements.

GnuTLS still has this outstanding bug if CA type TLSA records are used:


Is it possible to test that with GnuTLS version currently in Debian unstable?

lp0 commented Oct 15, 2014

Yes but you'll need to modify the gnutls28 package to create libgnutls-dane0.

Debian aren't going to support gnutls-dane until GnuTLS stops linking against Unbound or Unbound doesn't depend on OpenSSL:

@flashcode flashcode modified the milestone: 1.1, 1.2 Dec 21, 2014
@Mikaela Mikaela referenced this pull request in znc/znc Dec 22, 2014

Add support for DANE / TLSA #784

lp0 commented Jan 18, 2015

This could wait until GnuTLS 3.4 which will drop the libunbound dependency in favour of assuming a local validating resolver. Such a change may result in libgnutls-dane being merged into libgnutls.

However, the discussions on how to configure support for this in glibc appear to have stalled:

@flashcode flashcode removed this from the 1.2 milestone Jan 23, 2015
Mikaela commented Oct 18, 2015

It looks like the issue has moved to GnuTLS 3.5 now and the issue is at

@lp0 lp0 referenced this pull request in ircv3/ircv3-specifications Feb 6, 2016

OOB distribution of cert fingerprints #210

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment