Re: [dane] Two additions to draft-york-dane-deployment-observations-00

Mon, 10 Nov 2014 10:33:12 -0800 

On Mon, Nov 10, 2014 at 08:02:38AM -1000, Shumon Huque wrote:

> There's a slightly newer version of that script in the develop branch:
> 
> https://github.com/getdnsapi/getdns-python-bindings/blob/develop/examples/checkdanecert.py
> 
> Note that this script currently only does usage type 3, and it works for
> services that do SSL first (rather than negotiate STARTTLS). The Python
> M2Crypto SSL interface has some significant limitations. For example, it
> doesn't expose the function to set the TLS SNI extension, so on some
> multihomed servers, the server won't be able to figure out the correct
> certificate to present leading to the script failing the check.

The "swede" code on github, for all its faults, seems to suggest that
M2Crypto does in fact support SNI.


    from M2Crypto import X509, SSL
        ...
        connection = SSL.Connection(ctx, sock=sock)
        # Try to use SNI for virtual hosts if available
        try:
            # We don't want the trailing dot here
            connection.set_tlsext_host_name(args.host[:-1])

Perhaps you need a sufficiently new version of the module.

> We have a more complete Python example that additionally does the PKIX-*
> mode checks (0 and 1), and we had slides on that example in our recent
> RIPE69 getdns tutorial (which we ran out of time to present during the
> session itself). I'll work on getting that example posted on the github
> site soon.

The ssl_dane library is easy to embed into Python (perhaps easier
than into Perl).  That may be a good approach, and would support
all the parameter values and other fine details.  It uses OpenSSL
for the underlying non-DANE-specific bits.

Though useful for online validation of peers with which you then
communicate, in test mode it operates "off-line", give it a chain,
TLSA record and a peername list, and it tells you whether the
chain is matched or not.

So you can use any SSL toolkit you want to grab the chain, and the
library then handles the validation.  Only known limitations are
that digest agility currently belongs in the application layer
outside the library and that IDNA hostnames are not yet supported.

-- 
        Viktor.

_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane

Reply via email to