Bug 1272345

Summary: [RFE] Add DANE support for TLS
Product: Red Hat Enterprise Linux 7 Reporter: Petr Spacek <pspacek>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: emaldona, qe-baseos-security
Target Milestone: rcKeywords: FutureFeature, RFE
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-03 14:18:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Spacek 2015-10-16 07:33:34 UTC 
1. What is the nature and description of the request?
Support for The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol is missing in OpenSSL library.


2. Why do you need this? (List the business requirements here)
- To limit attack surface on TLS (by eliminating CA-trust issues imposed by current CA certificate management systems).
- To ease TLS certificate lifecycle maintenance and trust-bootstraping.
- To ease CA-rotation process.



3. How would you like to achieve this? (List the functional requirements here) 
Implement
http://tools.ietf.org/html/rfc6698
http://tools.ietf.org/html/rfc7671
into OpenSSL.


4. For each functional requirement listed, specify how Red Hat and you can test to confirm the requirement is successfully implemented.

a.
- Create own CA
- Create a certificate for TLS
- Put CA certificate into TLSA record in DNSSEC-signed zone
- Configure an application (e.g. Apache) with the cert
- Try to open a TLS connection from an application using NSS library (e.g. curl).
- The CA cert should be accepted because it will be automatically obtained from DNS.

b.
- Generate a self-signed certificate for TLS
- Put the self-signed certificate into TLSA record in DNSSEC-signed zone
- Configure an application (e.g. Apache) with the self-signed cert
- Try to open a TLS connection from an application using NSS library (e.g. curl).
- The TLS cert should be accepted because it will be automatically obtained from DNS.



5. Does you have any specific timeline dependencies and which release would they like to target (i.e. RHEL6, RHEL7)?  
RHEL 8 or if possible RHEL 7


6. List any affected packages or components.
OpenSSL library


7. Would you be able to assist in testing this functionality if implemented?"
Yes
Comment 2 Petr Spacek 2015-10-16 07:36:32 UTC 
Eh, there is a copy&paste mistake in step 4:
The application has to use OpenSSL, naturally. Wget should be good enough, I suspect.
Comment 3 Tomas Mraz 2015-10-16 09:01:48 UTC 
It is really preliminary to add such RFEs to RHEL-7 when the support is not even upstream and in Fedora.
Comment 5 Petr Spacek 2016-01-06 12:24:32 UTC 
BTW DANE support in DANE is commin soon to upstream:
https://mailarchive.ietf.org/arch/msg/dane/IFV8vPeiDREu2biYWQ2tPluBkfI
Comment 6 Tomas Mraz 2016-01-06 13:54:47 UTC 
I am afraid that given the differences between 1.0.x and 1.1 branches it will be very hard to backport the support.
Comment 8 Tomas Mraz 2017-04-03 14:17:49 UTC 
I am rejecting this for RHEL-7.
Comment 9 Red Hat Bugzilla Rules Engine 2017-04-03 14:18:02 UTC 
Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.