diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-08-19 11:59:47 -0400 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-08-19 12:18:49 -0400 |
commit | c4fbed6c3139726fc719a703d2195f3b6426b748 (patch) | |
tree | b207f45ff2cb818db5a566c4404b89b68302cfc7 /doc/apps | |
parent | dc047d31fa0c31872db8601a1b9fcd35f24d8589 (diff) |
Add -dane_ee_no_namechecks s_client(1) option
The DANE API supports a DANE_FLAG_NO_DANE_EE_NAMECHECKS option, but
there was no way to exercise/enable it via s_client. This commit
addresses that gap.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'doc/apps')
-rw-r--r-- | doc/apps/s_client.pod | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index 4ed032ca32..11b4a98195 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -24,6 +24,7 @@ B<openssl> B<s_client> [B<-no-CApath>] [B<-dane_tlsa_domain domain>] [B<-dane_tlsa_rrdata rrdata>] +[B<-dane_ee_no_namechecks>] [B<-attime timestamp>] [B<-check_ss_sig>] [B<-crl_check>] @@ -225,6 +226,24 @@ whitespace is ignored in the associated data field. For example: DANE TLSA 2 1 1 ...ee12d2cc90180517616e8a18 matched TA certificate at depth 1 ... +=item B<-dane_ee_no_namechecks> + +This disables server name checks when authenticating via DANE-EE(3) TLSA +records. +For some applications, primarily web browsers, it is not safe to disable name +checks due to "unknown key share" attacks, in which a malicious server can +convince a client that a connection to a victim server is instead a secure +connection to the malicious server. +The malicious server may then be able to violate cross-origin scripting +restrictions. +Thus, despite the text of RFC7671, name checks are by default enabled for +DANE-EE(3) TLSA records, and can be disabled in applications where it is safe +to do so. +In particular, SMTP and XMPP clients should set this option as SRV and MX +records already make it possible for a remote domain to redirect client +connections to any server of its choice, and in any case SMTP and XMPP clients +do not execute scripts downloaded from remote servers. + =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-no_alt_chains>, B<-no_check_time>, B<-partial_chain>, B<-policy>, |