weechat icon indicating copy to clipboard operation
weechat copied to clipboard
verified publisher icon weechat

Implement support for DANE using the gnutls-dane library

Open nomis opened this issue 11 years ago • 10 comments

I've only added this to configure.ac, so it will require additional changes to work with CMake.

This can be used on Gentoo as-is, or on Debian Jessie/Ubuntu Utopic if gnutls28 is modified to provide gnutls-dane.

nomis avatar Jul 06 '14 20:07 nomis

Is there anything more than the CMake part of this that's missing?

kyrias avatar Sep 18 '14 19:09 kyrias

No, it's all functional. You'd need to replicate the same version check logic in CMake, some of the older GnuTLS releases have severe flaws in their behaviour.

There should be a copy of weechat__dane_query_to_raw_tlsa() named dane_query_to_raw_tlsa() in a future release of GnuTLS that you could opt to use instead if you increase the minimum version requirements.

GnuTLS still has this outstanding bug if CA type TLSA records are used: http://savannah.gnu.org/support/?108552

nomis avatar Oct 05 '14 18:10 nomis

Is it possible to test that with GnuTLS version currently in Debian unstable?

flashcode avatar Oct 15 '14 18:10 flashcode

Yes but you'll need to modify the gnutls28 package to create libgnutls-dane0.

Debian aren't going to support gnutls-dane until GnuTLS stops linking against Unbound or Unbound doesn't depend on OpenSSL: http://lists.gnutls.org/pipermail/gnutls-devel/2014-February/006793.html

nomis avatar Oct 15 '14 18:10 nomis

This could wait until GnuTLS 3.4 which will drop the libunbound dependency in favour of assuming a local validating resolver. Such a change may result in libgnutls-dane being merged into libgnutls.

http://lists.gnutls.org/pipermail/gnutls-devel/2014-July/007039.html https://www.gitorious.org/gnutls/pages/Plan3_4

However, the discussions on how to configure support for this in glibc appear to have stalled: https://sourceware.org/ml/libc-alpha/2014-06/msg00586.html

nomis avatar Jan 18 '15 22:01 nomis

It looks like the issue has moved to GnuTLS 3.5 now and the issue is at https://gitlab.com/gnutls/gnutls/issues/21.

Mikaela avatar Oct 18 '15 06:10 Mikaela

I'm not sure how the gnutls issue 21 blocks that feature. gnutls already provides a DANE back-end, whether that's linked with unbound or something else shouldn't block its use of it by weechat.

nmav avatar Nov 20 '17 11:11 nmav

At the time this was raised, libunbound depended on openssl, which is absurd for gnutls to link to.

This has now been fixed: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=594

nomis avatar Nov 20 '17 12:11 nomis

This has now been fixed: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=594

Does this mean that this can finally be merged (after merge conflicts are resolved)?

Mikaela avatar Nov 20 '17 19:11 Mikaela