Re: [dane] Two additions to draft-york-dane-deployment-observations-00
Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 10 November 2014 08:53 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07F8F1A898C for <dane@ietfa.amsl.com>; Mon, 10 Nov 2014 00:53:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.7
X-Spam-Level:
X-Spam-Status: No, score=-0.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_41=0.6, J_CHICKENPOX_65=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2AZUR2ZUg-x8 for <dane@ietfa.amsl.com>; Mon, 10 Nov 2014 00:53:08 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DAD01A894A for <dane@ietf.org>; Mon, 10 Nov 2014 00:53:06 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id F41042AB109; Mon, 10 Nov 2014 08:53:03 +0000 (UTC)
Date: Mon, 10 Nov 2014 08:53:03 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141110085303.GS161@mournblade.imrryr.org>
References: <20141107232915.GA31913@laperouse.bortzmeyer.org> <6DB8CC95-E47A-4C0B-BC0B-7D9A4F8F65B5@edvina.net> <20141109035925.GA20946@laperouse.bortzmeyer.org> <alpine.LFD.2.10.1411100035410.11243@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="zS7rBR6csb6tI2e1"
Content-Disposition: inline
In-Reply-To: <alpine.LFD.2.10.1411100035410.11243@bofh.nohats.ca>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/2Hw2djM5uQRm1Zay1qDmFKH48zY
Subject: Re: [dane] Two additions to draft-york-dane-deployment-observations-00
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Nov 2014 08:53:10 -0000
On Mon, Nov 10, 2014 at 12:36:41AM -0500, Paul Wouters wrote:
[
Speaking of deploy360, nobody is regularly testing the listed
sites at:
http://www.internetsociety.org/deploy360/resources/dane-test-sites/
For example, https://www.statdns.net/ no longer matches its
TLSA record, presumably after key rotation without a TLSA RR
update, since its certificate digest is different from the
content of the "3 0 1" associated data.
]
> https://www.dnssec-validator.cz/
>
> DNSSEC/TLSA Validator is a web browser add-on which allows you to check
> the existence and validity of DNS Security Extensions (DNSSEC) records
> and Transport Layer Security Association (TLSA) records related to
> domain names. Results of these checks are displayed by using icons and
> information texts in the page?s address-bar or browser tool-bar.
> Currently, Internet Explorer (IE), Mozilla Firefox (MF), Google
> Chrome/Chromium (GC), Opera (OP), Apple Safari (AS) are supported.
Browser plugins are a bit tricky to script. For scriptable code:
$ git clone https://github.com/vdukhovni/ssl_dane
$ git checkout wip-perl-module
$ : edit Makefile if platform is not Linux
$ make
$ sudo make install
$ cd Danessl
$ : edit Makefile.PL if platform is not Linux
$ perl Makefile.PL
$ make
$ sudo make install
With the library and Perl module installed, the attached perl code
can be used as shown in the shell fragment below:
#! /bin/sh
# At least one of SSL_CERT_FILE or SSL_CERT_DIR
# must be set to a suitable cert store for PKIX-TA
# and PKIX-EE to work. The OpenSSL built-in defaults
# are disabled by ssldane.pl, you must elect them
# explicitly.
#
export SSL_CERT_FILE=/etc/ssl/... # multi-cert CAfile
export SSL_CERT_DIR=/etc/ssl/... # hashed CApath
test_site() {
echo "--- Testing $1..."
perl ./ssldane.pl "$@"
echo "--- Exit code: $?"
echo
}
for site in good bad-hash bad-params bad-sig
do
test_site $site.dane.verisignlabs.com 443
done
Note, the code requires a loopback (127.0.0.1) resolver that is a
DNSSEC validating resolver (unbound is a good choice). Though for
testing you can edit ssldane.pl and specify some other resolver
address near the top of the file.
Sample output:
--- Testing good.dane.verisignlabs.com...
;; Passed(depth 0): good.dane.verisignlabs.com. IN TLSA 3 0 1 0332aa2d58b3e0544b65656438937068ba44ce2f14469c4f50c9cc6933c808d3
--- Exit code: 0
--- Testing bad-hash.dane.verisignlabs.com...
;; Failed: bad-hash.dane.verisignlabs.com. IN TLSA 3 0 1 9999999999999999999999999999999999999999999999999999999999999999: unable to get local issuer certificate: (20)
--- Exit code: 1
--- Testing bad-params.dane.verisignlabs.com...
;; Failed: bad-params.dane.verisignlabs.com. IN TLSA 3 0 17 0332aa2d58b3e0544b65656438937068ba44ce2f14469c4f50c9cc6933c808d3: error processing TLSA RR
;; Failed: bad-params.dane.verisignlabs.com. IN TLSA 3 119 1 0332aa2d58b3e0544b65656438937068ba44ce2f14469c4f50c9cc6933c808d3: error processing TLSA RR
;; Failed: bad-params.dane.verisignlabs.com. IN TLSA 51 0 1 0332aa2d58b3e0544b65656438937068ba44ce2f14469c4f50c9cc6933c808d3: error processing TLSA RR
--- Exit code: 1
--- Testing bad-sig.dane.verisignlabs.com...
DNS Lookup failed: bad-sig.dane.verisignlabs.com IN A ?: SERVFAIL
--- Exit code: 255
Digest agility support is not yet a feature of the underlying C
library. So it should be added to the script, until the library
support is in place. That's a TODO.
--
Viktor.
P.S. Your Net::SSLeay Perl module needs to be quite recent, get
a newer one from CPAN if it does not understand the get_peer_cert_chain()
method.
The "Danessl.pm" Perl module is still in early development. Use
at your own risk, no support or documentation beyond RTFS.
The module code assumes (for no particular reason) that Perl is at
least 5.12.5, likely earlier versions work too, adjust as necessary.
- [dane] Two additions to draft-york-dane-deploymen… Stephane Bortzmeyer
- Re: [dane] Two additions to draft-york-dane-deplo… Viktor Dukhovni
- Re: [dane] Two additions to draft-york-dane-deplo… Olle E. Johansson
- Re: [dane] Two additions to draft-york-dane-deplo… Stephane Bortzmeyer
- Re: [dane] Two additions to draft-york-dane-deplo… Melinda Shore
- Re: [dane] Two additions to draft-york-dane-deplo… Viktor Dukhovni
- Re: [dane] Two additions to draft-york-dane-deplo… Paul Wouters
- Re: [dane] Two additions to draft-york-dane-deplo… Paul Wouters
- Re: [dane] Two additions to draft-york-dane-deplo… Stephane Bortzmeyer
- Re: [dane] Two additions to draft-york-dane-deplo… Viktor Dukhovni
- Re: [dane] Two additions to draft-york-dane-deplo… Viktor Dukhovni
- Re: [dane] Two additions to draft-york-dane-deplo… Terry Burton
- [dane] "Swede" likely not ready for production use Viktor Dukhovni
- Re: [dane] Two additions to draft-york-dane-deplo… Shumon Huque
- Re: [dane] Two additions to draft-york-dane-deplo… Paul Wouters
- Re: [dane] Two additions to draft-york-dane-deplo… Viktor Dukhovni
- Re: [dane] Two additions to draft-york-dane-deplo… Viktor Dukhovni
- Re: [dane] Two additions to draft-york-dane-deplo… Shumon Huque