From paul at nohats.ca Wed Jun 1 03:00:38 2016 From: paul at nohats.ca (Paul Wouters) Date: Tue, 31 May 2016 23:00:38 -0400 (EDT) Subject: [ldns-users] TLSA verification using ldns-dane In-Reply-To: <1197b7a9-aaf9-c8a2-3b9c-052ed98f7a70@andreasschulze.de> References: <1197b7a9-aaf9-c8a2-3b9c-052ed98f7a70@andreasschulze.de> Message-ID: On Tue, 31 May 2016, A. Schulze wrote: > i use the command "ldns-dane verify www.example.org 443" to check if > the TLSA-Record _443._tcp.www.example.org match the certificate at > https://www.example.org. > That works. > > Now I try to check a mailserver that support STARTTLS. Not sure about ldns-dane, but I think it lacks STARTTLS support. With the hash-slinger package installed, you can run: tlsa --verify mx.nohats.ca --starttls smtp --port 25 SUCCESS (Usage 3 [DANE-EE]): Certificate offered by the server matches the TLSA record (193.110.157.68) Paul From sca at andreasschulze.de Wed Jun 1 11:06:48 2016 From: sca at andreasschulze.de (A. Schulze) Date: Wed, 01 Jun 2016 13:06:48 +0200 Subject: [ldns-users] TLSA verification using ldns-dane In-Reply-To: References: <1197b7a9-aaf9-c8a2-3b9c-052ed98f7a70@andreasschulze.de> Message-ID: <20160601130648.Horde.vxIaYqeoPKSmNeK-syBA3FV@andreasschulze.de> Paul Wouters: > Not sure about ldns-dane, but I think it lacks STARTTLS > support. My impression/expectation: this is what option "-i" was added for. > With the hash-slinger package installed ... I've to check if it's available on all platforms I've in mind ... Thanks for that hint. Andreas From sca at andreasschulze.de Wed Jun 1 11:44:07 2016 From: sca at andreasschulze.de (A. Schulze) Date: Wed, 01 Jun 2016 13:44:07 +0200 Subject: [ldns-users] TLSA verification using ldns-dane In-Reply-To: <20160601130648.Horde.vxIaYqeoPKSmNeK-syBA3FV@andreasschulze.de> References: <1197b7a9-aaf9-c8a2-3b9c-052ed98f7a70@andreasschulze.de> <20160601130648.Horde.vxIaYqeoPKSmNeK-syBA3FV@andreasschulze.de> Message-ID: <20160601134407.Horde.WapkwgaO9R6yuMuybi41S3O@andreasschulze.de> A. Schulze: >> With the hash-slinger package installed ... > I've to check if it's available on all platforms I've in mind ... > Thanks for that hint. hash-slinger is not an option here. it's not available for my target platform and tests on Debian fail because tlsa tool require direct access to external DNS servers but I've only a local unbound forwarder :-/ so I'm still searching a lean option to check TLSA validity. Andreas From willem at nlnetlabs.nl Wed Jun 1 12:03:30 2016 From: willem at nlnetlabs.nl (Willem Toorop) Date: Wed, 1 Jun 2016 14:03:30 +0200 Subject: [ldns-users] TLSA verification using ldns-dane In-Reply-To: <20160601130648.Horde.vxIaYqeoPKSmNeK-syBA3FV@andreasschulze.de> References: <1197b7a9-aaf9-c8a2-3b9c-052ed98f7a70@andreasschulze.de> <20160601130648.Horde.vxIaYqeoPKSmNeK-syBA3FV@andreasschulze.de> Message-ID: <574ECF12.6080407@nlnetlabs.nl> Op 01-06-16 om 13:06 schreef A. Schulze: > > Paul Wouters: > >> Not sure about ldns-dane, but I think it lacks STARTTLS >> support. > My impression/expectation: this is what option "-i" was added for. No, it was to provide a channel to interact after the TLS is setup. Similar to what openssl s_client does. You could collect the certificate with openssl s_client and then use ldns-dane to verify it. $ openssl s_client -connect nlnetlabs.nl:25 -starttls smtp | openssl x509 >nlnetlabs.nl.smtp.crt $ ldns-dane -c nlnetlabs.nl.smtp.crt verify nlnetlabs.nl 25 OU=Domain Control Validated, CN=*.nlnetlabs.nl dane-validated successfully >> With the hash-slinger package installed ... > I've to check if it's available on all platforms I've in mind ... > Thanks for that hint. > > Andreas > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users From sca at andreasschulze.de Wed Jun 1 12:57:55 2016 From: sca at andreasschulze.de (A. Schulze) Date: Wed, 01 Jun 2016 14:57:55 +0200 Subject: [ldns-users] TLSA verification using ldns-dane In-Reply-To: <574ECF12.6080407@nlnetlabs.nl> References: <1197b7a9-aaf9-c8a2-3b9c-052ed98f7a70@andreasschulze.de> <20160601130648.Horde.vxIaYqeoPKSmNeK-syBA3FV@andreasschulze.de> <574ECF12.6080407@nlnetlabs.nl> Message-ID: <20160601145755.Horde.VlEHww31jfV-h8hI3nuNCa4@andreasschulze.de> Willem Toorop: > You could collect the certificate with openssl s_client and then use > ldns-dane to verify it. > > $ openssl s_client -connect nlnetlabs.nl:25 -starttls smtp | openssl > x509 >nlnetlabs.nl.smtp.crt > $ ldns-dane -c nlnetlabs.nl.smtp.crt verify nlnetlabs.nl 25 > OU=Domain Control Validated, CN=*.nlnetlabs.nl dane-validated successfully Thanks, that's what I could use Andreas