from small one page howto to huge articles all in one place

search text in:




Other .linuxhowtos.org sites:gentoo.linuxhowtos.org



Last additions:
using iotop to find disk usage hogs

using iotop to find disk usage hogs

words:

887

views:

209581

userrating:

May 25th. 2007:
Words

486

Views

258588

why adblockers are bad

Workaround and fixes for the current Core Dump Handling vulnerability affected kernels

Workaround and fixes for the current Core Dump Handling vulnerability affected kernels

words:

161

views:

149878

userrating:

April, 26th. 2006:
Words

38

Views

107372

New subdomain: toolsntoys.linuxhowtos.org

Druckversion
You are here: manpages





ldns

Section: C Library Functions (3)
Updated: 30 May 2006
Index Return to Main Contents
 

NAME

ldns_dane_verify, ldns_dane_verify_rr - TLSA RR verification functions

 

SYNOPSIS

#include <stdint.h>
#include <stdbool.h>

#include <ldns/ldns.h>

ldns_status ldns_dane_verify(const ldns_rr_list* tlsas, X509* cert, STACK_OF(X509)* extra_certs, X509_STORE* pkix_validation_store);

ldns_status ldns_dane_verify_rr(const ldns_rr* tlsa_rr, X509* cert, STACK_OF(X509)* extra_certs, X509_STORE* pkix_validation_store);

 

DESCRIPTION

ldns_dane_verify() BEWARE! We strongly recommend to use OpenSSL 1.1.0 dane verification
functions instead of the ones provided by ldns. When OpenSSL 1.1.0 was available ldns will use the OpenSSL 1.1.0 dane verification functions under the hood. When ldns was linked with OpenSSL < 1.1.0, this function will not be able to verify TLSA records with DAN-TA usage types.

BEWARE! The ldns dane verification functions do *not* do server name checks. The user has to perform additional server name checks themselves!

Verify if any of the given TLSA resource records matches the given certificate.

.br tlsas: The resource records that specify what and how to match the certificate. One must match for this function to succeed. With tlsas == NULL or the number of TLSA records in tlsas == 0, regular PKIX validation is performed. .br cert: The certificate to match (and validate) .br extra_certs: Intermediate certificates that might be necessary creating the validation chain. .br pkix_validation_store: Used when the certificate usage is "CA constraint" or "Service Certificate Constraint" to validate the certificate.

.br Returns LDNS_STATUS_OK on success, LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA when at least one of the TLSA's had usage type DAN-TA and none of the TLSA's matched or PKIX validated, LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE when one of the TLSA's matched but the PKIX validation failed, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH when none of the TLSA's matched, or other ldns_status errors.

ldns_dane_verify_rr() BEWARE! We strongly recommend to use OpenSSL 1.1.0 dane verification
functions instead of the ones provided by ldns. When OpenSSL 1.1.0 was available ldns will use the OpenSSL 1.1.0 dane verification functions under the hood. When ldns was linked with OpenSSL < 1.1.0, this function will not be able to verify TLSA records with DAN-TA usage types.

BEWARE! The ldns dane verification functions do *not* do server name checks. The user has to perform additional server name checks themselves!

Verify if the given TLSA resource record matches the given certificate. Reporting on a TLSA rr mismatch (LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH) is preferred over PKIX failure (LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE). So when PKIX validation is required by the TLSA Certificate usage, but the TLSA data does not match, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH is returned whether the PKIX validated or not.

When ldns is linked with OpenSSL < 1.1.0 and this function is available, then the DAN-TA usage type will not be verified, and on a tlsa_rr with this usage type, LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA will be returned.

.br tlsa_rr: The resource record that specifies what and how to match the certificate. With tlsa_rr == NULL, regular PKIX validation is performed. .br cert: The certificate to match (and validate) .br extra_certs: Intermediate certificates that might be necessary creating the validation chain. .br pkix_validation_store: Used when the certificate usage is "CA constraint" or "Service Certificate Constraint" to validate the certificate.

.br Returns LDNS_STATUS_OK on success, LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA when the provided TLSA had the DAN-TA usage type, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH on TLSA data mismatch, LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE when TLSA matched, but the PKIX validation failed, or other ldns_status errors.

 

AUTHOR

The ldns team at NLnet Labs.

 

REPORTING BUGS

Please report bugs to ldn-team@nlnetlabs.nl or in our bugzilla at http://www.nlnetlabs.nl/bugs/index.html

 

COPYRIGHT

Copyright (c) 2004- 2006 NLnet Labs.

Licensed under the BSD License. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

 

SEE ALSO

ldns_dane_create_tlsa_owner, ldns_dane_cert2rdf, ldns_dane_select_certificate, ldns_dane_create_tlsa_rr. And perldoc Net::DNS, RFC1034, RFC1035, RFC4033, RFC4034 and RFC4035.  

REMARKS

This manpage was automatically generated from the ldns source code.

 

Index

NAME
SYNOPSIS
DESCRIPTION
AUTHOR
REPORTING BUGS
COPYRIGHT
SEE ALSO
REMARKS





Support us on Content Nation
rdf newsfeed | rss newsfeed | Atom newsfeed
- Powered by LeopardCMS - Running on Gentoo -
Copyright 2004-2025 Sascha Nitsch Unternehmensberatung GmbH
Valid XHTML1.1 : Valid CSS
- Level Triple-A Conformance to Web Content Accessibility Guidelines 1.0 -
- Copyright and legal notices -
Time to create this page: 11.1 ms