No certificate signature checks or expiration checks for usage 2. (Invalid or expired chains pass) #11
Description
No certificate signature checks or expiration checks for usage 2. (Invalid or expired chains pass)
Source: http://permalink.gmane.org/gmane.ietf.dane/1984
From: Viktor Dukhovni
Subject: "Swede" likely not ready for production use
On Mon, Nov 10, 2014 at 01:13:15PM +0000, Terry Burton wrote:
> Also for reference Swede [1] can be invoked from Nagios as follows:
>
> define command {
> command_name check_tlsa
> command_line cd [nagios]/etc/swede && [nagios]/bin/swede
> verify -q $HOSTADDRESS$
> }
I don't believe that swede is sufficiently robust for this purpose:
- No certificate signature checks or expiration checks for usage 2.
(Invalid or expired chains pass)
- Extraneous hostname check for usage 3. (Valid certs fail)
[Yes, I know the OPS draft has not yet been through WGLC) so
the new semantics of DANE-EE with respect to hostname and
expiration checks are not yet "standard".]
- Unsafe hostname checks for usages 0, 1, 2 (remote name is
used after insufficient input validation as a regular
expression!). The name checks are erroneously case sensitive
for ASCII input. (Valid names fail, invalid names pass, and
possibly security issues depending on safety of using remotely
provided regexps in Python)
Less critically, and for now also applicable to my Perl code:
- Does not yet support UTF-8 (IDNA) hostnames. The SNI extension
is supposed to be UTF-8. Name checks on DNS altNames are
supposed to use ASCII-encoded A-labels.