2019-01-22 03:19 CET

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0005472GNUnetGNSpublic2018-11-12 20:58
Assigned Toschanzen 
PrioritynormalSeveritymajorReproducibilityhave not tried
Product VersionSVN HEAD 
Target Version0.11.0Fixed in Version 
Summary0005472: GNS-Proxy and multiple TLSA records
Descriptionwhile setting up letsencrypt we noticed that if you use TLSA in combination with it we might encounter problems with GNS proxy.

First, from looking at the code I think it does not look like that multiple TLSA records are accepted (in fact, only the last record seems to be processed).
However, in case server certificates are renewed, the server will use the new certificate usually _before_ the old certificate expires (as is the case with letsencrypt, usually).

As far as I can see this problem can _not_ be remedied using shadow records. We must support multiple TLSA records (in the proxy) and the server administrator must make sure that there is a sufficient delay between TLSA record update and the server certificate update. See also: https://dane.sys4.de/common_mistakes, ctrl-f "planned cert".
TagsNo tags attached.
Attached Files

-Relationships Relation Graph ] Dependency Graph ]



Christian Grothoff (manager)

Should be implemented in 748788145..21eec1db5 -- but I did not test it (lacking automated test case). So please test & report back!

-Issue History
Date Modified Username Field Change
2018-11-06 12:00 schanzen New Issue
2018-11-12 20:18 Christian Grothoff Assigned To => Christian Grothoff
2018-11-12 20:18 Christian Grothoff Status new => assigned
2018-11-12 20:18 Christian Grothoff Product Version => SVN HEAD
2018-11-12 20:18 Christian Grothoff Target Version => 0.11.0
2018-11-12 20:18 Christian Grothoff Description Updated View Revisions
2018-11-12 20:56 Christian Grothoff Note Added: 0013334
2018-11-12 20:58 Christian Grothoff Assigned To Christian Grothoff => schanzen
2018-11-12 20:58 Christian Grothoff Status assigned => feedback
+Issue History