We should do some lobbying with browser vendors to get attention from the masses. It will help DANE if requested by users. ;-)
What TLS-libraries do other browsers use? What other TLS-libraries other than OpenSSL do support DANE-TLS? Mozilla Firefox -> NSS Google Chrome/Chromium -> BoringSSL 26. August 2016 18:25, "Viktor Dukhovni" <[email protected]> schrieb: > For those who might not yet have heard the news, OpenSSL 1.1.0 was > released yesterday and includes support for DANE TLSA authentication. > > https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_dane_enable.html > https://www.openssl.org/docs/manmaster/apps/s_client.html > > Example: > > $ PATH=/.../OpenSSL_1_1_0/bin:$PATH > $ dig +short -t mx ietf.org | > while read pref mx; do > mx=${mx%.} > printf "=== %s\n" "$mx" > dig +short -t tlsa "_25._tcp.$mx" | > while read rrdata; do > printf "+++ %s\n" "$rrdata" > (sleep 2; printf "QUIT\r\n" ) | > openssl s_client -brief -starttls smtp -connect "$mx:25" \ > -dane_tlsa_domain "$mx" -dane_tlsa_rrdata "$rrdata" \ > -dane_ee_no_namechecks > done > done > === mail.ietf.org > +++ 3 1 1 0C72AC70B745AC19998811B131D662C9AC69DBDBE7CB23E5B514B566 64C5D3D6 > CONNECTION ESTABLISHED > Protocol version: TLSv1.2 > Ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 > Peer certificate: OU = Domain Control Validated, CN = *.ietf.org > Hash used: SHA512 > Verification: OK > Verified peername: *.ietf.org > DANE TLSA 3 1 1 ...e7cb23e5b514b56664c5d3d6 matched EE certificate at depth 0 > Supported Elliptic Curve Point Formats: > uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2 > Server Temp Key: ECDH, P-256, 256 bits > 250 8BITMIME > DONE > > -- > Viktor. > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
