SSL_CTX_dane_enable, SSL_CTX_dane_mtype_set, SSL_dane_enable,
SSL_dane_tlsa_add, SSL_get0_dane_authority, SSL_get0_dane_tlsa,
SSL_CTX_dane_set_flags, SSL_CTX_dane_clear_flags,
-SSL_dane_set_flags, SSL_dane_clear_flags -
-enable DANE TLS authentication of the remote TLS server in the local
+SSL_dane_set_flags, SSL_dane_clear_flags
+- enable DANE TLS authentication of the remote TLS server in the local
TLS client
=head1 SYNOPSIS
uint8_t mtype, uint8_t ord);
int SSL_dane_enable(SSL *s, const char *basedomain);
int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector,
- uint8_t mtype, unsigned char *data, size_t dlen);
+ uint8_t mtype, unsigned const char *data, size_t dlen);
int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki);
int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector,
uint8_t *mtype, unsigned const char **data,
The arguments specify the fields of the TLSA record.
The B<data> field is provided in binary (wire RDATA) form, not the hexadecimal
ASCII presentation form, with an explicit length passed via B<dlen>.
+The library takes a copy of the B<data> buffer contents and the caller may
+free the original B<data> buffer when convenient.
A return value of 0 indicates that "unusable" TLSA records (with invalid or
unsupported parameters) were provided.
A negative return value indicates an internal error in processing the record.
optional DANE verification features.
SSL_CTX_dane_clear_flags() and SSL_dane_clear_flags() can be used to disable
the same features.
-The B<flags> argument is a bitmask of the features to enable or disable.
+The B<flags> argument is a bit-mask of the features to enable or disable.
The B<flags> set for an B<SSL_CTX> context are copied to each B<SSL> handle
associated with that context at the time the handle is created.
Subsequent changes in the context's B<flags> have no effect on the B<flags> set
SSL_dane_set_flags() and SSL_dane_clear_flags() return the B<flags> in effect
before they were called.
-=head1 EXAMPLE
+=head1 EXAMPLES
Suppose "smtp.example.com" is the MX host of the domain "example.com", and has
DNSSEC-validated TLSA records.
retrieved, and must be copied by the application if it is to be retained beyond
the lifetime of the SSL connection.
- SSL_CTX *ctx;
- SSL *ssl;
- int (*verify_cb)(int ok, X509_STORE_CTX *sctx) = NULL;
- int num_usable = 0;
- const char *nexthop_domain = "example.com";
- const char *dane_tlsa_domain = "smtp.example.com";
- uint8_t usage, selector, mtype;
-
- if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL)
- /* handle error */
- if (SSL_CTX_dane_enable(ctx) <= 0)
- /* handle error */
-
- if ((ssl = SSL_new(ctx)) == NULL)
- /* handle error */
-
- if (SSL_dane_enable(ssl, dane_tlsa_domain) <= 0)
- /* handle error */
-
- /*
- * For many applications it is safe to skip DANE-EE(3) namechecks. Do not
- * disable the checks unless "unknown key share" attacks pose no risk for
- * your application.
- */
- SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS);
-
- if (!SSL_add1_host(ssl, nexthop_domain))
- /* handle error */
- SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-
- for (... each TLSA record ...) {
- unsigned char *data;
- size_t len;
- int ret;
-
- /* set usage, selector, mtype, data, len */
-
- /*
- * Opportunistic DANE TLS clients support only DANE-TA(2) or DANE-EE(3).
- * They treat all other certificate usages, and in particular PKIX-TA(0)
- * and PKIX-EE(1), as unusable.
- */
- switch (usage) {
- default:
- case 0: /* PKIX-TA(0) */
- case 1: /* PKIX-EE(1) */
- continue;
- case 2: /* DANE-TA(2) */
- case 3: /* DANE-EE(3) */
- break;
- }
-
- ret = SSL_dane_tlsa_add(ssl, usage, selector, mtype, data, len);
- /* free data as appropriate */
-
- if (ret < 0)
- /* handle SSL library internal error */
- else if (ret == 0)
- /* handle unusable TLSA record */
- else
- ++num_usable;
- }
-
- /*
- * At this point, the verification mode is still the default SSL_VERIFY_NONE.
- * Opportunistic DANE clients use unauthenticated TLS when all TLSA records
- * are unusable, so continue the handshake even if authentication fails.
- */
- if (num_usable == 0) {
- /* Log all records unusable? */
-
- /* Optionally set verify_cb to a suitable non-NULL callback. */
- SSL_set_verify(ssl, SSL_VERIFY_NONE, verify_cb);
- } else {
- /* At least one usable record. We expect to verify the peer */
-
- /* Optionally set verify_cb to a suitable non-NULL callback. */
-
- /*
- * Below we elect to fail the handshake when peer verification fails.
- * Alternatively, use the permissive SSL_VERIFY_NONE verification mode,
- * complete the handshake, check the verification status, and if not
- * verified disconnect gracefully at the application layer, especially if
- * application protocol supports informing the server that authentication
- * failed.
- */
- SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb);
- }
-
- /*
- * Load any saved session for resumption, making sure that the previous
- * session applied the same security and authentication requirements that
- * would be expected of a fresh connection.
- */
-
- /* Perform SSL_connect() handshake and handle errors here */
-
- if (SSL_session_reused(ssl)) {
- if (SSL_get_verify_result(ssl) == X509_V_OK) {
- /*
- * Resumed session was originally verified, this connection is
- * authenticated.
- */
- } else {
- /*
- * Resumed session was not originally verified, this connection is not
- * authenticated.
- */
- }
- } else if (SSL_get_verify_result(ssl) == X509_V_OK) {
- const char *peername = SSL_get0_peername(ssl);
- EVP_PKEY *mspki = NULL;
-
- int depth = SSL_get0_dane_authority(ssl, NULL, &mspki);
- if (depth >= 0) {
- (void) SSL_get0_dane_tlsa(ssl, &usage, &selector, &mtype, NULL, NULL);
- printf("DANE TLSA %d %d %d %s at depth %d\n", usage, selector, mtype,
- (mspki != NULL) ? "TA public key verified certificate" :
- depth ? "matched TA certificate" : "matched EE certificate",
- depth);
- }
- if (peername != NULL) {
- /* Name checks were in scope and matched the peername */
- printf("Verified peername: %s\n", peername);
- }
- } else {
- /*
- * Not authenticated, presumably all TLSA rrs unusable, but possibly a
- * callback suppressed connection termination despite the presence of
- * usable TLSA RRs none of which matched. Do whatever is appropriate for
- * fresh unauthenticated connections.
- */
- }
+ SSL_CTX *ctx;
+ SSL *ssl;
+ int (*verify_cb)(int ok, X509_STORE_CTX *sctx) = NULL;
+ int num_usable = 0;
+ const char *nexthop_domain = "example.com";
+ const char *dane_tlsa_domain = "smtp.example.com";
+ uint8_t usage, selector, mtype;
+
+ if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL)
+ /* error */
+ if (SSL_CTX_dane_enable(ctx) <= 0)
+ /* error */
+ if ((ssl = SSL_new(ctx)) == NULL)
+ /* error */
+ if (SSL_dane_enable(ssl, dane_tlsa_domain) <= 0)
+ /* error */
+
+ /*
+ * For many applications it is safe to skip DANE-EE(3) namechecks. Do not
+ * disable the checks unless "unknown key share" attacks pose no risk for
+ * your application.
+ */
+ SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS);
+
+ if (!SSL_add1_host(ssl, nexthop_domain))
+ /* error */
+ SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+
+ for (... each TLSA record ...) {
+ unsigned char *data;
+ size_t len;
+ int ret;
+
+ /* set usage, selector, mtype, data, len */
+
+ /*
+ * Opportunistic DANE TLS clients support only DANE-TA(2) or DANE-EE(3).
+ * They treat all other certificate usages, and in particular PKIX-TA(0)
+ * and PKIX-EE(1), as unusable.
+ */
+ switch (usage) {
+ default:
+ case 0: /* PKIX-TA(0) */
+ case 1: /* PKIX-EE(1) */
+ continue;
+ case 2: /* DANE-TA(2) */
+ case 3: /* DANE-EE(3) */
+ break;
+ }
+
+ ret = SSL_dane_tlsa_add(ssl, usage, selector, mtype, data, len);
+ /* free data as appropriate */
+
+ if (ret < 0)
+ /* handle SSL library internal error */
+ else if (ret == 0)
+ /* handle unusable TLSA record */
+ else
+ ++num_usable;
+ }
+
+ /*
+ * At this point, the verification mode is still the default SSL_VERIFY_NONE.
+ * Opportunistic DANE clients use unauthenticated TLS when all TLSA records
+ * are unusable, so continue the handshake even if authentication fails.
+ */
+ if (num_usable == 0) {
+ /* Log all records unusable? */
+
+ /* Optionally set verify_cb to a suitable non-NULL callback. */
+ SSL_set_verify(ssl, SSL_VERIFY_NONE, verify_cb);
+ } else {
+ /* At least one usable record. We expect to verify the peer */
+
+ /* Optionally set verify_cb to a suitable non-NULL callback. */
+
+ /*
+ * Below we elect to fail the handshake when peer verification fails.
+ * Alternatively, use the permissive SSL_VERIFY_NONE verification mode,
+ * complete the handshake, check the verification status, and if not
+ * verified disconnect gracefully at the application layer, especially if
+ * application protocol supports informing the server that authentication
+ * failed.
+ */
+ SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb);
+ }
+
+ /*
+ * Load any saved session for resumption, making sure that the previous
+ * session applied the same security and authentication requirements that
+ * would be expected of a fresh connection.
+ */
+
+ /* Perform SSL_connect() handshake and handle errors here */
+
+ if (SSL_session_reused(ssl)) {
+ if (SSL_get_verify_result(ssl) == X509_V_OK) {
+ /*
+ * Resumed session was originally verified, this connection is
+ * authenticated.
+ */
+ } else {
+ /*
+ * Resumed session was not originally verified, this connection is not
+ * authenticated.
+ */
+ }
+ } else if (SSL_get_verify_result(ssl) == X509_V_OK) {
+ const char *peername = SSL_get0_peername(ssl);
+ EVP_PKEY *mspki = NULL;
+
+ int depth = SSL_get0_dane_authority(ssl, NULL, &mspki);
+ if (depth >= 0) {
+ (void) SSL_get0_dane_tlsa(ssl, &usage, &selector, &mtype, NULL, NULL);
+ printf("DANE TLSA %d %d %d %s at depth %d\n", usage, selector, mtype,
+ (mspki != NULL) ? "TA public key verified certificate" :
+ depth ? "matched TA certificate" : "matched EE certificate",
+ depth);
+ }
+ if (peername != NULL) {
+ /* Name checks were in scope and matched the peername */
+ printf("Verified peername: %s\n", peername);
+ }
+ } else {
+ /*
+ * Not authenticated, presumably all TLSA rrs unusable, but possibly a
+ * callback suppressed connection termination despite the presence of
+ * usable TLSA RRs none of which matched. Do whatever is appropriate for
+ * fresh unauthenticated connections.
+ */
+ }
=head1 NOTES
=head1 HISTORY
-These functions were first added to OpenSSL 1.1.0.
+These functions were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
-Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
-Licensed under the OpenSSL license (the "License"). You may not use
+Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.