[getdns-users] public key pinning and tls_authentication models
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Dec 22 14:23:55 UTC 2015
On Tue 2015-12-22 04:25:21 -0500, Willem Toorop <willem at nlnetlabs.nl> wrote:
> I believe we introduced getdns_context_get_tls_authentication() as a
> quick way to allow for opportunistic TLS. So renaming the define
> GETDNS_AUTHENTICATION_NONE into OPPORTUNISTIC and HOSTNAME in STRICT
> would be in line with its original intent I think. Indicating what
> credentials (hostname or pubkey hashes) to use for authentication makes
> complete sense to me too.
great, that only leaves the question of what we should do with a
configuration that asks for STRICT but allows fallback to non-TLS -- we
could either ignore the non-TLS upstreams, or fail the request entirely
to indicate that they're not getting what they asked for.
> Question: If you specify a pinset in an upstream with STRICT
> authentication, would your cert still need to be authenticated against
> the CA store?
At the moment, yes, the code says that if you've specified HOSTNAME then
you need to have a hostname :) I didn't want to change those semantics
without making sure people were OK with that.
I can work on an additional patch that makes this change, if it seems
plausible.
--dkg
More information about the Users
mailing list