[openssl-users] OpenSSL version 1.1.0 pre release 6 published
openssl-users at dukhovni.org
Thu Aug 4 22:33:36 UTC 2016
On Thu, Aug 04, 2016 at 03:05:00PM -0700, Carl Byington wrote:
> > OpenSSL version 1.1.0 pre release 6 (beta)
> Seems to work in my openssl/sendmail/dane test environment.
Thanks for the confirmation.
Note, I still firmly hold that the "o DANE=always" mode is largely
a bad idea. It is only "useful" when an MX host has its address
records in a signed zone, but its TLSA records are CNAMEd into
an unsigned zone:
; example.com zone is signed
example.com. IN MX 0 smtp.example.com.
smtp.example.com. IN A 192.0.2.1
_25._tcp.smtp.example.com. IN CNAME _dane.example.net.
; example.net zone is not signed
_dane.example.net. IN TLSA 3 1 1 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Such configurations will be rather rare, and offer minimal incremental
MITM protection. The code and documentation to support this use-case
and explain it to users are not worth the trouble.
More information about the openssl-users