Unclear extent of functionality of danetool --check
Description of problem:
p11tool(1) says
--check=string
Check a host's DANE TLSA entry.
Obtains the DANE TLSA entry from the given hostname and prints information. Note
that the actual certificate of the host can be provided using --load-certificate,
otherwise danetool will connect to the server to obtain it. The exit code on verification
success will be zero.
I understood this to mean that p11tool actually does trust verification. However afaict this is somewhere in between a syntax check and a trust path validation. I think p11tool uses the following steps:
- Pull the TLSA record
- Connect to the host and get receive the provided certificate chain.
- Verify the server certificate using the provided certificate chain and TLSA record, i.e.
- with certificate usage 0 or 2 check for a signing certificate in the chain
- with certificate usage 1 or 3 check that the server cert matches the fingerprint in the TLSA record.
- The local trust store is never consulted.
I do understand that it might make sense to not consult the local trust-store since gnutls-cli --dane already exists.
Version of gnutls used:
gnutls GIT d4624761 (15 Aug 2018) - post 3.6.3
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Debian