Network Working Group | P. Hoffman |
Internet-Draft | VPN Consortium |
Intended status: Standards Track | J. Schlyter |
Expires: July 02, 2012 | Kirei AB |
January 2012 |
Using Secure DNS to Associate Certificates with Domain Names For TLS
draft-ietf-dane-protocol-14
TLS and DTLS use PKIX certificates for authenticating the server. Users want their applications to verify that the certificate provided by the TLS server is in fact associated with the domain name they expect. TLSA provides bindings of keys to domains that are asserted not by external entities, but by the entities that operate the DNS. This document describes how to use secure DNS to associate the TLS server's certificate with the intended domain name.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http:/⁠/⁠datatracker.ietf.org/⁠drafts/⁠current/⁠.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 02, 2012.
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http:/⁠/⁠trustee.ietf.org/⁠license-⁠info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The first response from the server in TLS may contain a certificate. In order for the TLS client to authenticate that it is talking to the expected TLS server, the client must validate that this certificate is associated with the domain name used by the client to get to the server. Currently, the client must extract the domain name from the certificate, must trust a trust anchor upon which the server's certificate is rooted, and must successfully validate the certificate.
Some people want a different way to authenticate the association of the server's certificate with the intended domain name without trusting an external certificate authority (CA). Given that the DNS administrator for a domain name is authorized to give identifying information about the zone, it makes sense to allow that administrator to also make an authoritative binding between the domain name and a certificate that might be used by a host at that domain name. The easiest way to do this is to use the DNS.
There are many use cases for such functionality. [DANEUSECASES] lists the ones that the protocol in this document is meant to apply to. [DANEUSECASES] also lists many requirements, most of which the protocol in this document is believed to meet. Section 5 covers the applicability of this document to the use cases in detail.
This document applies to both TLS [RFC5246] and DTLS [RFC4347bis]. In order to make the document more readable, it mostly only talks about "TLS", but in all cases, it means "TLS or DTLS". This document only relates to securely associating certificates for TLS and DTLS with host names; other security protocols and other forms of identification of TLS servers (such as IP addresses) are handled in other documents. For example, keys for IPsec are covered in [RFC4025] and keys for SSH are covered in [RFC4255].
A certificate association is formed from a piece of information identifying a certificate with the domain name where the data is found. The data used to identify the certificate consists of either a PKIX certificate or a hash of a PKIX certificate. When using the certificate itself in the certificate association, the entire certificate in the normal format is used. This document only applies to PKIX [RFC5280] certificates, not certificates of other formats.
A DNS query can return multiple certificate associations, such as in the case of different server software on a single host using different certificates, or in the case that a server is changing from one certificate to another.
This document defines a secure method to associate the certificate that is obtained from the TLS server with a domain name using DNS; the DNS information needs to be be protected by DNSSEC. Because the certificate association was retrieved based on a DNS query, the domain name in the query is by definition associated with the certificate.
DNSSEC, which is defined in RFCs 4033, 4034, and 4035 ([RFC4033], [RFC4034], and [RFC4035]), uses cryptographic keys and digital signatures to provide authentication of DNS data. Information retrieved from the DNS and that is validated using DNSSEC is thereby proved to be the authoritative data. The DNSSEC signature MUST be validated on all responses that use DNSSEC in order to assure the proof of origin of the data. This document does not specify how DNSSEC validation occurs because there are many different proposals for how a client might get validated DNSSEC results.
This document only relates to securely getting the DNS information for the certificate association using DNSSEC; other secure DNS mechanisms are out of scope.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
This document also makes use of standard PKIX, DNSSEC, and TLS terminology. See [RFC5280], [RFC4033], and [RFC5246] respectively, for these terms. In addition, terms related to TLS-protected application services and DNS names are taken from [RFC6125].
The TLSA DNS resource record (RR) is used to associate a certificate with the domain name where the record is found. The semantics of how the TLSA RR is interpreted are given later in this document.
The type value for the TLSA RR type is TBD.
The TLSA RR is class independent.
The TLSA RR has no special TTL requirements.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Usage | Selector | Matching Type | / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / / / / Certificate for Association / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The RDATA for a TLSA RR consists of a one octet usage type field, a one octet selector field, a one octet matching type field and the certificate for association field.
A one-octet value, called "certificate usage" or just "usage", specifying the provided association that will be used to match the target certificate from TLS. This will be an IANA registry in order to make it easier to add additional certificate usages in the future. The usages defined in this document are:
The three certificate usages defined in this document explicitly only apply to PKIX-formatted certificates. If TLS allows other formats later, or if extensions to this protocol are made that accept other formats for certificates, those certificates will need their own certificate types.
The use of this field is described in greater detail in Section 4.
A one-octet value, called "selector", specifying what will be matched. This value is defined in a new IANA registry. The selectors defined in this document are:
A one-octet value, called "matching type", specifying how the certificate association is presented. This value is defined in a new IANA registry. The types defined in this document are:
Using the same hash algorithm as is used in the signature in the certificate will make it more likely that the TLS client will understand this TLSA data.
The "association data" to be matched. The field contains the bytes to be matched or the hash of the bytes to be matched. The source of the data to be matched is controlled by the Matching Type field. The data refers to the certificate in the association, not to the TLS ASN.1 Certificate object.
The presentation format of the RDATA portion is as follows:
_443._tcp.www.example.com. IN TLSA ( 0 0 1 d2abde240d7cd3ee6b4b28c54df034b9 7983a1d16e8a410e4561cb106618e971 )
An example of a hashed (SHA-256) association of a PKIX CA certificate:
_443._tcp.www.example.com. IN TLSA 1 1 2 92003ba34942dc74152e2f2c408d29ec a5a520e7f2e06bb944f4dca346baf63c 1b177615d466f6c4b71c216a50292bd5 8c9ebdd2f74e38fe51ffd48c43326cbc )
An example of a hashed (SHA-512) subject public key association of a PKIX end entity certificate:
_443._tcp.www.example.com. IN TLSA 2 0 0 30820307308201efa003020102020... )
An example of a full certificate association of a PKIX trust anchor:
TLSA resource records are stored at a prefixed DNS domain name. The prefix is prepared in the following manner:
For example, to request a TLSA resource record for an HTTP server running TLS on port 443 at "www.example.com", you would use "_443._tcp.www.example.com" in the request. To request a TLSA resource record for an SMTP server running the STARTTLS protocol on port 25 at "mail.example.com", you would use "_25._tcp.mail.example.com".
The three certificate usages have very different semantics, but also have features common to all three types.
Certificate usage 0 is used to specify a CA certificate, or the public key of such a certificate, that the must be found in any of the PKIX validation chains for the end entity certificate given by the server in TLS. This usage is sometimes referred to as "CA constraint" because it limits which CA can be used to issue certificates for a given host name.
Certificate usage 1 is used to specify an end entity certificate, or the public key of such a certificate, that must be matched with the end entity certificate given by the server in TLS. This usage is sometimes referred to as "service certificate constraints" because it limits which end entity certificate may be used by a given host name.
Certificate usage 2 is used to specify a certificate, or the public key of such a certificate, that must be used as a trust anchor when validating the end entity certificate given by the server in TLS. This usage is sometimes referred to as "domain-issued certificate" because it allows for a domain name administrator to issue certificates for a domain without involving a third-party CA.
Section 2.1 of this document defines the mandatory matching rules for the data from the TLS certificate associations and the certificates received from the TLS server.
The TLS session that is to be set up MUST be for the specific port number and transport name that was given in the TLSA query. The matching or chaining MUST be done within the life of the TTL on the TLSA record.
Some specifications for applications that run under TLS, such as [RFC2818] for HTTP, require the server's certificate to have a domain name that matches the host name expected by the client. Some specifications such at [RFC6125] detail how to match the identify given in a PKIX certificate with those expected by the user.
An application that complies with this document first requests TLSA records in order to make certificate associations.
Determining whether a TLSA RRset can be used depends on the DNSSEC validation state (as defined in [RFC4033]).
If an application receives zero usable certificate associations, it processes TLS in the normal fashion without any input from the TLSA records; otherwise, that application attempts to match each certificate association with the TLS server's end entity certificate.
Clients that validate the DNSSEC signatures themselves MUST either use standard DNSSEC validation procedures or a secure transport (such as TSIG [RFC2845], SIG(0) [RFC2931], or IPsec [RFC6071]) between themselves and the entity performing the DNSSEC signature validation. Note that it is not sufficient to use secure transport to a DNS resolver that does not do DNSSEC signature validation.
If a certificate association contains a certificate usage, selector, or matching type that is not understood by the TLS client, that certificate association MUST be marked as unusable. If the comparison data for a certificate is malformed, the certificate association MUST be marked as unusable.
The different types of certificates for association defined in TLSA are matched with various sections of [DANEUSECASES]. The three use cases from section 3 of [DANEUSECASES] are covered in this protocol as follows:
The requirements from section 4 of [DANEUSECASES] are covered in this protocol as follows (note that some of these might be excessively glib):
A system creating TLSA records that conforms to this specification MUST be able to create TLSA records containing certificate usages 0, 1 and 2. A system creating TLSA records that conforms to this specification MUST be able to create TLSA records with selectors 0 (full certificate) and 1 (SubjectPublicKeyInfo). A system creating TLSA records that conforms to this specification MUST be able to create TLSA records using matching type 0 (no hash used) and matching type 1 (SHA-256), and SHOULD be able to create TLSA records using matching type 2 (SHA-512).
TLS clients conforming to this specification MUST be able to correctly interpret TLSA records with certificate usages 0, 1 and 2. TLS clients conforming to this specification MUST be able to compare a certificate for association with a certificate from TLS using selectors type 0 and 1, and matching type 0 (no hash used) and matching type 1 (SHA-256), and SHOULD be able to make such comparisons with matching type 2 (SHA-512).
At the time this is written, it is expected that there will be a new family of hash algorithms called SHA-3 within the next few years. It is expected that some of the SHA-3 algorithms will be mandatory and/or recommended for TLSA records after the algorithms are fully defined. At that time, this specification will be updated.
This document uses a new DNS RR type, TLSA, whose value is TBD. A separate request for the RR type will be submitted to the expert reviewer, and future versions of this document will have that value instead of TBD.
Value Short description Reference ---------------------------------------------------------- 0 Pass PKIX and chain through CA [This] 1 Pass PKIX and match EE [This] 2 Pass PKIX and trusted via certificate [This] 4-254 Unassigned 255 Private use
This document creates a new registry, "Certificate Usages for TLSA Resource Records". The registry policy is "RFC Required". The initial entries in the registry are:
Applications to the registry can request specific values that have yet to be assigned.
Value Short description Reference ---------------------------------------------------------- 0 Full Certificate [This] 1 SubjectPublickeyInfo [This] 2-254 Unassigned 255 Private use
This document creates a new registry, "Selectors for TLSA Resource Records". The registry policy is "Specification Required". The initial entries in the registry are:
Value Short description Reference --------------------------------------------- 0 No hash used [This] 1 SHA-256 NIST FIPS 180-3 2 SHA-512 NIST FIPS 180-3 3-254 Unassigned 255 Private use
This document creates a new registry, "Matching Types for TLSA Resource Records". The registry policy is "Specification Required". The initial entries in the registry are:
Applications to the registry can request specific values that have yet to be assigned.
The security of the protocols described in this document relies on the security of DNSSEC as used by the client requesting A/AAAA and TLSA records.
A DNS administrator who goes rogue and changes both the A/AAAA and TLSA records for a domain name can cause the user to go to an unauthorized server that will appear authorized, unless the client performs certificate validation and rejects the certificate. That administrator could probably get a certificate issued anyway, so this is not an additional threat.
If the authentication mechanism for adding or changing TLSA data in a zone is weaker than the authentication mechanism for changing the A/AAAA records, a man-in-the-middle who can redirect traffic to their site may be able to impersonate the attacked host in TLS if they can use the weaker authentication mechanism. A better design for authenticating DNS would be to have the same level of authentication used for all DNS additions and changes for a particular host.
SSL proxies can sometimes act as a man-in-the-middle for TLS clients. In these scenarios, the clients add a new trust anchor whose private key is kept on the SSL proxy; the proxy intercepts TLS requests, creates a new TLS session with the intended host, and sets up a TLS session with the client using a certificate that chains to the trust anchor installed in the client by the proxy. In such environments, the TLSA protocol will prevent the SSL proxy from functioning as expected because the TLS client will get a certificate association from the DNS that will not match the certificate that the SSL proxy uses with the client. The client, seeing the proxy's new certificate for the supposed destination will not set up a TLS session. Thus, such proxies might choose to aggressively block TLSA requests and/or responses.
Client treatment of any information included in the trust anchor is a matter of local policy. This specification does not mandate that such information be inspected or validated by the domain name administrator.
If a server's certificate is revoked, or if an intermediate CA in a chain between the end entity and a trust anchor has its certificate revoked, a TLSA record with a certificate type of 2 that matches the revoked certificate would in essence override the revocation because the client would treat that revoked certificate as a trust anchor and thus not check its revocation status. Because of this, domain administrators need to be responsible for being sure that the key or certificate used in TLSA records with a certificate type of 2 are in fact able to be used as reliable trust anchors.
Many of the ideas in this document have been discussed over many years. More recently, the ideas have been discussed by the authors and others in a more focused fashion. In particular, some of the ideas here originated with Paul Vixie, Dan Kaminsky, Jeff Hodges, Phill Hallam-Baker, Simon Josefsson, Warren Kumari, Adam Langley, Ben Laurie, Ilari Liusvaara, Ondrej Mikle, Scott Schmit, Ondrej Sury, Richard Barnes, Jim Schaad, and Stephen Farrell.
This document has also been greatly helped by many active participants of the DANE Working Group.
[RFC2782] | Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for specifying the location of services (DNS SRV)", RFC 2782, February 2000. |
[RFC2818] | Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. |
[RFC2845] | Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington, "Secret Key Transaction Authentication for DNS (TSIG)", RFC 2845, May 2000. |
[RFC2931] | Eastlake, D., "DNS Request and Transaction Signatures ( SIG(0)s)", RFC 2931, September 2000. |
[RFC4025] | Richardson, M., "A Method for Storing IPsec Keying Material in DNS", RFC 4025, March 2005. |
[RFC4255] | Schlyter, J. and W. Griffin, "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints", RFC 4255, January 2006. |
[RFC6071] | Frankel, S. and S. Krishnan, "IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap", RFC 6071, February 2011. |
When creating TLSA records with certificate usage type 0 or 2, care needs to be taken when choosing between selector type 0 (full certificate) and 1 (SubjectPublicKeyInfo) because of the algorithms that various TLS clients employ to build their trust-chain. The following outlines some important cases and discusses implications of the choice of selector type.
Note that certificate usage 2 is not affected by this discussion if the association is made to an end entity certificate.
TLS clients are known to implement methods that may cause any certificate (except the end entity certificate in the original certificate chain sent by server) to be exchanged or removed from the trust chain when client builds trust chain.
Certificates the client can use to replace certificates from original chain include:
CAs frequently reissue certificates with a different validity period, a hash in the signature algorithm or PKIX extensions; only the public key, issuer and subject remain intact. Thes reissued certificates are certificates that the TLS client can use in place of original certificate.
Clients are known to exchange or remove certificates that could cause TLSA association that rely on the full certificate to fail. For example:
The "Full certificate" selector provides most precise specification of a trust anchor. Such non-ambiguity foils a class of hypothetical future attacks on a CA where the CA issues new certificate with an identical SubjectPublicKeyInfo, but a different issuer, subject, or extensions that would allow redirection of a trust chain. This "Full certificate" selector would also foil bad practices or negligence of a CA if the CA uses the same key for unrelated CA certificates.
For a DNS administrator, the best course to avoid false-positive failures at client's side when using this selector is:
A SubjectPublicKeyInfo selector gives greater flexibility in avoiding many false-positive failures caused by trust-chain-building algorithms used in many clients.
One specific use-case should be noted: creating a TLSA association to certificate I1 that directly signed end entity certificate S1 of the server. Because the key used to sign S1 is fixed, the association to I1 must succeed: if the client swaps I1 for I2 (a different certificate), I2's SubjectPublicKeyInfo must match the SubjectPublicKeyInfo of I1. Such association would not suffer from false-positive failure on the client if the client uses a reissued CA certificate I2 in place of I1.
The attack surface is a bit broader compared to "full certificate" selector:
Using the SubjectPublicKeyInfo selector for association with a certificate in a chain above I1 needs to be decided on a case-by-case basis: there are too many possibilities based on the issuing CA's practices. Unless the full implications of such an association are understood by the administrator, using selector type 0 is a better option from a security perspective.
In practice, sharing keys in differently-purposed CA certificates is rare, but certainly happens sometimes. An attack on an association by SubjectPublicKeyInfo would require either gross negligence on the part of the CA or an attacker gaining control of CA.
The TLSA resource record is not special in the DNS; it acts exactly like any other RRtype where the queried name has one or more labels prefixed to the base name, such as the SRV RRtype [RFC2782]. This affects the way that the TLSA resource record is used when aliasing in the DNS.
Note that the IETF sometimes adds new types of aliasing in the DNS. If that happens in the future, those aliases might affect TLSA records, hopefully in a good way.
sub1.example.com. IN CNAME sub2.example.com.
sub3.example.com. IN CNAME sub4.example.com. bottom.sub3.example.com. IN CNAME bottom.sub4.example.com.
Using CNAME to alias in DNS only aliases from the exact name given, not any zones below the given name. For example, assume that a zone file has only the following:
Application implementations and full-service resolvers request DNS records using libraries that automatically follow CNAME (and DNAME) aliasing. This allows hosts to put TLSA records in their own zones or to use CNAME to do redirection.
; No TLSA record in target domain ; sub5.example.com. IN CNAME sub6.example.com. _443._tcp.sub5.example.com. IN TLSA 1 1 1 308202c5308201ab... sub6.example.com. IN A 10.0.0.0
If the owner of the original domain wants a TLSA record for the same, they simply enter it under the defined prefix:
; TLSA record for original domain has CNAME to target domain ; sub5.example.com. IN CNAME sub6.example.com. _443._tcp.sub5.example.com. IN CNAME _443._tcp.sub6.example.com. sub6.example.com. IN A 10.0.0.0 _443._tcp.sub6.example.com. IN TLSA 1 1 1 536a570ac49d9ba4...
If the owner of the orginal domain wants to have the target domain host the TLSA record, the original domain uses a CNAME record:
; TLSA record in both the original and target domain ; sub5.example.com. IN CNAME sub6.example.com. _443._tcp.sub5.example.com. IN TLSA 1 1 1 308202c5308201ab... sub6.example.com. IN A 10.0.0.0 _443._tcp.sub6.example.com. IN TLSA 1 1 1 ac49d9ba4570ac49...
Note that it is acceptable for both the original domain and the target domain to have TLSA records, but the two records are unrelated. Consider the following:
Note that these methods use the normal method for DNS aliasing using CNAME: the DNS client requests the record type that they actually want.
Using DNAME records allows a zone owner to alias an entire subtree of names below the name that has the DNAME. This allows the wholesale aliasing of prefixed records such as those used by TLSA, SRV, and so on without aliasing the name itself. However, because DNAME can only be used for subtrees of a base name, it is rarely used to alias individual hosts that might also be running TLS.
; TLSA record in target domain, visible in original domain via DNAME ; sub5.example.com. IN CNAME sub6.example.com. _tcp.sub5.example.com. IN DNAME _tcp.sub6.example.com. sub6.example.com. IN A 10.0.0.0 _443._tcp.sub6.example.com. IN TLSA 1 1 1 536a570ac49d9ba4...
*._tcp.www.example.com. IN TLSA 1 1 1 5c1502a6549c423b...
Wildcards are generally not terribly useful for RRtypes that require prefixing because you can only wildcard at a layer below the host name. For example, if you want to have the same TLSA record for every TCP port for www.example.com, you might have
[[ This was proposed, and questioned, and not yet followed through on. ]]
[[ Need to add text here about the various ways that a client who is pulling in TLSA records can be sure that they are protected by DNSSEC. ]]
[[ Need to add text here about how to handle a change in certificate. It would cover using two TLSA records at the same time, the TTL on the RRset, and coordinating that with the use of the certificates in the TLS server. ]]
This appendix describes the interactions given earlier in this specification in pseudocode format. This appendix is non-normative. If the steps below disagree with the text earlier in the document, the steps earlier in the document should be considered correct and this text incorrect.
// implement the function for exiting function Finish (F) = { if (F == 0) { abort the TLS handshake or prevent TLS from starting exit } if (F == 1) { fall back to non-TLSA certificate validation exit } if (F == 2) { accept the TLS connection exit } // unreachable } // implement the selector function function Select (S, X) = { // Full certificate if (S == 0) { return X } // SubjectPublicKeyInfo if (S == 1) { return X.SubjectPublicKeyInfo } return undef } // implement the matching function function Match (M, X, Y) { // Exact match on selected content if (M == 0) { return (X == Y) } // SHA-256 hash of selected content if (M == 1) { return (SHA-256(X) == Y) } // SHA-512 hash of selected content if (M == 2) { return (SHA-512(X) == Y) } return undef }
TLS connect using [transport] to [name] on [port] and receiving end entity cert C for the TLS server:
(TLSArecords, ValState) = DNSSECValidatedLookup( domainname=_[port]._[transport].[name], RRtype=TLSA, class=IN) // check for states that would change processing if (ValState == BOGUS) { Finish(0) } if ((ValState == INDETERMINATE) or (ValState == INSECURE)) { Finish(1) } // if here, ValState must be SECURE for each R in TLSArecords { // unusable records include unknown certUsage, unknown // selectorType, unknown matchingType, and erroneous RDATA if (R is unusable) remove it from TLSArecords } if (length(TLSArecords) == 0) { Finish(1) } // A TLS client might have multiple trust anchors that it might use // when validating the TLS server's end entity certificate. Also, // there can be multiple PKIX validation chains for the // certificates given by the server in TLS. Thus, there are // possibly many chains that might need to be tested during // PKIX validation. for each R in TLSArecords { // pass PKIX validation and chain through CA cert from TLSA if (R.certUsage == 0) { for each PKIX validation chain H { if (C passes PKIX validation in H) { for each D in H { if (D is a CA certificate) and Match(matchingType, Select(selectorType, D), R) { Finish(2) } } } } // pass PKIX validation and match EE cert from TLSA if (R.certUsage == 1) { for each PKIX validation chain H { if (C passes PKIX validation in H) { if (Match(matchingType, Select(selectorType, C), R)) { Finish(2) } } } } // pass PKIX validation using TLSA record as trust anchor if (R.certUsage == 2) { for each PKIX validation chain H that has R as the trust anchor { if (C passes PKIX validation in H) { Finish(2) } } } } // if here, the none of the TLSA records was sufficient for TLS Finish(0)