You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
RFC 7671 introduced a new allowance (section 5.2) that servers may omit the trust anchor certificate from the cert chain sent to the client if it's included in full (not hash) in the TLSA record and all TLSA records are of this form ("2 0 0"). This is a rather awful usage, since it requires gigantic DNS messages, but it should be supported since the standard allows it. I believe the right way to do it is by pre-processing the TLSA records to put the trust anchor(s) they define into a chain to pass into br_ssl_client_init_full. I'm not doing it yet since this is a low-priority feature, but documenting it here so it can be done later.
The text was updated successfully, but these errors were encountered:
RFC 7671 introduced a new allowance (section 5.2) that servers may omit the trust anchor certificate from the cert chain sent to the client if it's included in full (not hash) in the TLSA record and all TLSA records are of this form ("2 0 0"). This is a rather awful usage, since it requires gigantic DNS messages, but it should be supported since the standard allows it. I believe the right way to do it is by pre-processing the TLSA records to put the trust anchor(s) they define into a chain to pass into
br_ssl_client_init_full
. I'm not doing it yet since this is a low-priority feature, but documenting it here so it can be done later.The text was updated successfully, but these errors were encountered: