On Wednesday, October 3, 2012 at 6:52 PM, Richard Barnes wrote:
>
> On Oct 3, 2012, at 6:22 PM, Warren Kumari wrote:
>
> >
> > On Oct 3, 2012, at 4:10 PM, James Cloos <[email protected]
> > (mailto:[email protected])> wrote:
> >
> > > > > > > > "NM" == Nikos Mavrogiannopoulos <[email protected]
> > > > > > > > (mailto:[email protected])> writes:
> > >
> > > NM> Are there any test or even real world https sites that support DANE?
> > >
> > > https://jhcloos.com/ (also supports spdy).
> >
> > www.kumari.net (http://www.kumari.net)…
> >
> > Unfortunately the CN is *.kumari.net (http://kumari.net), and swede verify
> > complains that that:
> > WARNING: Name on the certificate (Subject:
> > /serialNumber=20Vw66yC802bGJ8IiSaq/ICmQRp2wah0/C=US/O=*.kumari.net/OU=GT03082892/OU=See
> > www.rapidssl.com/resources/cps (http://www.rapidssl.com/resources/cps)
> > (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=*.kumari.net,
> > SubjectAltName: DNS:*.kumari.net, DNS:kumari.net) doesn't match requested
> > hostname (www.kumari.net (http://www.kumari.net)).
> >
> >
> > I started writing a patch for swede to deal with wildcards, but then got
> > sidetracked :-P
> >
> > W
>
> Seems to me like the patch should just comment out the whole part that checks
> the CN, since that's an application-layer issue, not a DANE issue. Doesn't
> seem *that* harmful to throw a warning, though.
[ Apologies if this mail is formatted oddly, testing a new MUA ]
Yeah, thats what I did (well, actually I just made it return True if the
specific match doesn't work. I also commented out the AAAA checks. Sometime I
plan to go back and make it cleaner…
Output:
Received the following record for name _443._tcp.www.kumari.net.:
Usage: 1 (End-Entity Constraint + chain to CA)
Selector: 0 (Certificate)
Matching Type: 1 (SHA-256)
Certificate for Association:
4209129179ca542ed5df797e84d4de4d4cc8689b8aba579fda3f8844ec144dd5
This record is valid (well-formed).
Attempting to verify the record with the TLS service...
Got the following IP: 198.186.192.250
WARNING: Name on the certificate (Subject:
/serialNumber=20Vw66yC802bGJ8IiSaq/ICmQRp2wah0/C=US/O=*.kumari.net/OU=GT03082892/OU=See
www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated -
RapidSSL(R)/CN=*.kumari.net, SubjectAltName: DNS:*.kumari.net, DNS:kumari.net)
doesn't match requested hostname (www.kumari.net).
SUCCESS (Usage 1): Certificate offered by the server matches the one mentioned
in the TLSA record and chains to a valid CA certificate
The matched certificate has Subject:
/serialNumber=20Vw66yC802bGJ8IiSaq/ICmQRp2wah0/C=US/O=*.kumari.net/OU=GT03082892/OU=See
www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated -
RapidSSL(R)/CN=*.kumari.net
Patch:
--- swede.orig 2012-10-02 17:17:22.358961230 -0400
+++ swede 2012-10-04 12:11:11.300255130 -0400
@@ -254,7 +254,9 @@
else:
if with_msg:
print 'WARNING: Name on the certificate (Subject: %s, SubjectAltName: %s)
doesn\'t match requested hostname (%s).' % (str(cert.get_subject()),
altnames_on_cert, hostname)
- return False
+ # return False
+ # WK : deal with wildcards. Need to make this less icky...
+ return True
class TLSARecord:
"""When instanciated, this class contains all the fields of a TLSA record.
@@ -465,7 +467,8 @@
if not args.quiet:
print 'Attempting to verify the record with the TLS service...'
- addresses = getA(args.host, secure=secure) + getAAAA(args.host, secure=secure)
+# addresses = getA(args.host, secure=secure) + getAAAA(args.host,
secure=secure)
+ addresses = getA(args.host, secure=secure)
for address in addresses:
if not args.quiet:
print 'Got the following IP: %s' % str(address)
@@ -601,7 +604,8 @@
sys.stdout.write('Port %s not numerical or within correct range (1 <= port <=
65535), try again (hit enter for default 443): ' % user_input)
# Get the address records for the host
try:
- addresses = getA(args.host, secure=secure) + getAAAA(args.host, secure=secure)
+# addresses = getA(args.host, secure=secure) + getAAAA(args.host,
secure=secure)
+ addresses = getA(args.host, secure=secure)
except InsecureLookupException, e:
print >> sys.stderr, str(e)
sys.exit(1)
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
