[getdns-users] public key pinning and tls_authentication models

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Dec 22 14:23:55 UTC 2015

On Tue 2015-12-22 04:25:21 -0500, Willem Toorop <willem at nlnetlabs.nl> wrote:

> I believe we introduced getdns_context_get_tls_authentication() as a
> quick way to allow for opportunistic TLS. So renaming the define
> would be in line with its original intent I think.  Indicating what
> credentials (hostname or pubkey hashes) to use for authentication makes
> complete sense to me too.

great, that only leaves the question of what we should do with a
configuration that asks for STRICT but allows fallback to non-TLS -- we
could either ignore the non-TLS upstreams, or fail the request entirely
to indicate that they're not getting what they asked for.

> Question: If you specify a pinset in an upstream with STRICT
> authentication, would your cert still need to be authenticated against
> the CA store?

At the moment, yes, the code says that if you've specified HOSTNAME then
you need to have a hostname :)  I didn't want to change those semantics
without making sure people were OK with that.

I can work on an additional patch that makes this change, if it seems


More information about the Users mailing list