View Issue Details

IDProjectCategoryView StatusLast Update
0005472GNUnetGNSpublic2019-02-28 11:17
ReporterschanzenAssigned Toschanzen 
PrioritynormalSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product VersionSVN HEAD 
Target Version0.11.0Fixed in Version0.11.0 
Summary0005472: GNS-Proxy and multiple TLSA records
Descriptionwhile setting up letsencrypt we noticed that if you use TLSA in combination with it we might encounter problems with GNS proxy.

First, from looking at the code I think it does not look like that multiple TLSA records are accepted (in fact, only the last record seems to be processed).
However, in case server certificates are renewed, the server will use the new certificate usually _before_ the old certificate expires (as is the case with letsencrypt, usually).

As far as I can see this problem can _not_ be remedied using shadow records. We must support multiple TLSA records (in the proxy) and the server administrator must make sure that there is a sufficient delay between TLSA record update and the server certificate update. See also: https://dane.sys4.de/common_mistakes, ctrl-f "planned cert".
TagsNo tags attached.

Activities

Christian Grothoff

2018-11-12 20:56

manager   ~0013334

Should be implemented in 748788145..21eec1db5 -- but I did not test it (lacking automated test case). So please test & report back!

schanzen

2019-01-25 18:49

developer   ~0013463

It works. I tested it. Test automation is difficult see https://gnunet.org/bugs/view.php?id=5514.

Issue History

Date Modified Username Field Change
2018-11-06 12:00 schanzen New Issue
2018-11-12 20:18 Christian Grothoff Assigned To => Christian Grothoff
2018-11-12 20:18 Christian Grothoff Status new => assigned
2018-11-12 20:18 Christian Grothoff Product Version => SVN HEAD
2018-11-12 20:18 Christian Grothoff Target Version => 0.11.0
2018-11-12 20:18 Christian Grothoff Description Updated View Revisions
2018-11-12 20:56 Christian Grothoff Note Added: 0013334
2018-11-12 20:58 Christian Grothoff Assigned To Christian Grothoff => schanzen
2018-11-12 20:58 Christian Grothoff Status assigned => feedback
2019-01-25 18:49 schanzen Note Added: 0013463
2019-01-25 18:49 schanzen Status feedback => resolved
2019-01-25 18:49 schanzen Resolution open => fixed
2019-02-20 12:24 Christian Grothoff Fixed in Version => 0.11.0
2019-02-28 11:17 Christian Grothoff Status resolved => closed