For those who might not yet have heard the news, OpenSSL 1.1.0 was
released yesterday and includes support for DANE TLSA authentication.
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_dane_enable.html
https://www.openssl.org/docs/manmaster/apps/s_client.html
Example:
$ PATH=/.../OpenSSL_1_1_0/bin:$PATH
$ dig +short -t mx ietf.org |
while read pref mx; do
mx=${mx%.}
printf "=== %s\n" "$mx"
dig +short -t tlsa "_25._tcp.$mx" |
while read rrdata; do
printf "+++ %s\n" "$rrdata"
(sleep 2; printf "QUIT\r\n" ) |
openssl s_client -brief -starttls smtp -connect "$mx:25" \
-dane_tlsa_domain "$mx" -dane_tlsa_rrdata "$rrdata" \
-dane_ee_no_namechecks
done
done
=== mail.ietf.org
+++ 3 1 1 0C72AC70B745AC19998811B131D662C9AC69DBDBE7CB23E5B514B566 64C5D3D6
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: ECDHE-RSA-AES256-GCM-SHA384
Peer certificate: OU = Domain Control Validated, CN = *.ietf.org
Hash used: SHA512
Verification: OK
Verified peername: *.ietf.org
DANE TLSA 3 1 1 ...e7cb23e5b514b56664c5d3d6 matched EE certificate at depth 0
Supported Elliptic Curve Point Formats:
uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Server Temp Key: ECDH, P-256, 256 bits
250 8BITMIME
DONE
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
