[ldns-users] TLSA verification using ldns-dane
Willem Toorop
willem at nlnetlabs.nl
Wed Jun 1 12:03:30 UTC 2016
Op 01-06-16 om 13:06 schreef A. Schulze:
>
> Paul Wouters:
>
>> Not sure about ldns-dane, but I think it lacks STARTTLS
>> support.
> My impression/expectation: this is what option "-i" was added for.
No, it was to provide a channel to interact after the TLS is setup.
Similar to what openssl s_client does.
You could collect the certificate with openssl s_client and then use
ldns-dane to verify it.
$ openssl s_client -connect nlnetlabs.nl:25 -starttls smtp | openssl
x509 >nlnetlabs.nl.smtp.crt
$ ldns-dane -c nlnetlabs.nl.smtp.crt verify nlnetlabs.nl 25
OU=Domain Control Validated, CN=*.nlnetlabs.nl dane-validated successfully
>> With the hash-slinger package installed ...
> I've to check if it's available on all platforms I've in mind ...
> Thanks for that hint.
>
> Andreas
>
> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/ldns-users
More information about the ldns-users
mailing list