On Mon, Nov 10, 2014 at 12:36:41AM -0500, Paul Wouters wrote: [ Speaking of deploy360, nobody is regularly testing the listed sites at:
http://www.internetsociety.org/deploy360/resources/dane-test-sites/
For example, https://www.statdns.net/ no longer matches its
TLSA record, presumably after key rotation without a TLSA RR
update, since its certificate digest is different from the
content of the "3 0 1" associated data.
]
> https://www.dnssec-validator.cz/
>
> DNSSEC/TLSA Validator is a web browser add-on which allows you to check
> the existence and validity of DNS Security Extensions (DNSSEC) records
> and Transport Layer Security Association (TLSA) records related to
> domain names. Results of these checks are displayed by using icons and
> information texts in the page?s address-bar or browser tool-bar.
> Currently, Internet Explorer (IE), Mozilla Firefox (MF), Google
> Chrome/Chromium (GC), Opera (OP), Apple Safari (AS) are supported.
Browser plugins are a bit tricky to script. For scriptable code:
$ git clone https://github.com/vdukhovni/ssl_dane
$ git checkout wip-perl-module
$ : edit Makefile if platform is not Linux
$ make
$ sudo make install
$ cd Danessl
$ : edit Makefile.PL if platform is not Linux
$ perl Makefile.PL
$ make
$ sudo make install
With the library and Perl module installed, the attached perl code
can be used as shown in the shell fragment below:
#! /bin/sh
# At least one of SSL_CERT_FILE or SSL_CERT_DIR
# must be set to a suitable cert store for PKIX-TA
# and PKIX-EE to work. The OpenSSL built-in defaults
# are disabled by ssldane.pl, you must elect them
# explicitly.
#
export SSL_CERT_FILE=/etc/ssl/... # multi-cert CAfile
export SSL_CERT_DIR=/etc/ssl/... # hashed CApath
test_site() {
echo "--- Testing $1..."
perl ./ssldane.pl "$@"
echo "--- Exit code: $?"
echo
}
for site in good bad-hash bad-params bad-sig
do
test_site $site.dane.verisignlabs.com 443
done
Note, the code requires a loopback (127.0.0.1) resolver that is a
DNSSEC validating resolver (unbound is a good choice). Though for
testing you can edit ssldane.pl and specify some other resolver
address near the top of the file.
Sample output:
--- Testing good.dane.verisignlabs.com...
;; Passed(depth 0): good.dane.verisignlabs.com. IN TLSA 3 0 1
0332aa2d58b3e0544b65656438937068ba44ce2f14469c4f50c9cc6933c808d3
--- Exit code: 0
--- Testing bad-hash.dane.verisignlabs.com...
;; Failed: bad-hash.dane.verisignlabs.com. IN TLSA 3 0 1
9999999999999999999999999999999999999999999999999999999999999999: unable to get
local issuer certificate: (20)
--- Exit code: 1
--- Testing bad-params.dane.verisignlabs.com...
;; Failed: bad-params.dane.verisignlabs.com. IN TLSA 3 0 17
0332aa2d58b3e0544b65656438937068ba44ce2f14469c4f50c9cc6933c808d3: error
processing TLSA RR
;; Failed: bad-params.dane.verisignlabs.com. IN TLSA 3 119 1
0332aa2d58b3e0544b65656438937068ba44ce2f14469c4f50c9cc6933c808d3: error
processing TLSA RR
;; Failed: bad-params.dane.verisignlabs.com. IN TLSA 51 0 1
0332aa2d58b3e0544b65656438937068ba44ce2f14469c4f50c9cc6933c808d3: error
processing TLSA RR
--- Exit code: 1
--- Testing bad-sig.dane.verisignlabs.com...
DNS Lookup failed: bad-sig.dane.verisignlabs.com IN A ?: SERVFAIL
--- Exit code: 255
Digest agility support is not yet a feature of the underlying C
library. So it should be added to the script, until the library
support is in place. That's a TODO.
--
Viktor.
P.S. Your Net::SSLeay Perl module needs to be quite recent, get
a newer one from CPAN if it does not understand the get_peer_cert_chain()
method.
The "Danessl.pm" Perl module is still in early development. Use
at your own risk, no support or documentation beyond RTFS.
The module code assumes (for no particular reason) that Perl is at
least 5.12.5, likely earlier versions work too, adjust as necessary.
ssldane.pl
Description: Perl program
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
