-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
inconsistent behaviour with DANE check website #1
Comments
When testing the server with https://github.com/shuque/danetls, it also says DANE OK.
|
Hello, the error message from gotls is: "DANE TLSA 2 0 1 [32a2bc1d..]: FAIL matched TA certificate at depth 1 but name check failed" The name check failed because your certificate does not include the correct name of your service (mail.bayern.de) in a Subject Alternative Name dnsName entry. It only has it in the CN (Common Name) which is deprecated. gotls is written in Go, and the Go library disabled CN checking a while back. See https://golang.google.cn/doc/go1.15#commonname danetls apparently works, because it uses OpenSSL, which still allows common names. I recommend re-issuing your certificate with a SAN dnsname entry. In time, most software will eliminate the use of CN. |
Thanks for the explanation |
When I check mail.bayern.de with the command
gotls -4 -d -m dane -s smtp -r 8.8.8.8 mail.bayern.de 25
, I receive the following output stating that name check failed.I can't see what exactly went wrong. To check I tried
mail.bayern.de
with https://dane.sys4.de/ and https://danetools.com/dane?host=mail.bayern.de&service=smtp&port=25&protocol=tcp. Both sites say that everything is ok.Is this a bug in the gotls program or are the DANE check sites wrong?
The text was updated successfully, but these errors were encountered: