Merge #2140
2140: Fix 2138: Pin DANE with the full cert r=mergify[bot] a=nextgens ## What type of PR? bug-fix ## What does this PR do? Pin the intermediates rather than the root for DANE. If you have setup TLSA records following previous suggestion from Mailu please update them. This hasn't been tested. The four options here are: - stop suggesting DANE records - send the root CA (4096 bits extra per handshake!) - pin the intermediates : the downside is that these are only valid for 3y, see https://letsencrypt.org/certificates/ and we should pin 4: R3,R4,E1,E2 - setup a 'full' DANE record in DNS (this is what this PR does) The high priority is warranted by the fact that some SMTP servers may not trust root CAs and may enforce DANE strictly (it may break things). ### Related issue(s) - close #2138 ## Prerequisites Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [ ] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file. Co-authored-by: Florent Daigniere <nextgens@freenetproject.org> Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>master
commit
a5f6f9676b
@ -0,0 +1 @@
|
|||||||
|
Pin the root certificate differently for DANE. If you have setup a TLSA record following previous suggestion from Mailu please update it.
|
Loading…
Reference in New Issue