Hello,
Thanks to the TLS callback support, I discovered that using DANE with libldap is actually really easy. OpenSSL has DANE support built-in, so all you have to do is turn it on and get the DNS records. As a proof-of-concept, I've written an example that disables the use of certificate authorities and uses DANE alone, in accordance with their preference in the TLSA record, to connect to Debian's LDAP instance.
Note that Debian currently uses GnuTLS for OpenLDAP which has, in my opinion, not so good DANE support, so this code won't work. I'm offering my help to the Debian maintainers though to change that.
Code is at https://salsa.debian.org/-/snippets/649
What a great idea. But it does create a very strong dependency between LDAP and DNS. Does OpenSSL support private DNSSEC trust anchors in it's DANE implementation?
On 30/07/2023 9:23 am, John Scott wrote:
Hello,
Thanks to the TLS callback support, I discovered that using DANE with libldap is actually really easy. OpenSSL has DANE support built-in, so all you have to do is turn it on and get the DNS records. As a proof-of-concept, I've written an example that disables the use of certificate authorities and uses DANE alone, in accordance with their preference in the TLSA record, to connect to Debian's LDAP instance.
Note that Debian currently uses GnuTLS for OpenLDAP which has, in my opinion, not so good DANE support, so this code won't work. I'm offering my help to the Debian maintainers though to change that.
Code is at https://salsa.debian.org/-/snippets/649
openldap-technical@openldap.org
-
John Scott -
Sean Gallagher