[dane] DANE TLSA support in OpenSSL 1.1.0 coming soon...
Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 27 December 2015 09:27 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC3CB1A008E for <dane@ietfa.amsl.com>; Sun, 27 Dec 2015 01:27:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.1
X-Spam-Level:
X-Spam-Status: No, score=0.1 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p29Cq87Mr8QP for <dane@ietfa.amsl.com>; Sun, 27 Dec 2015 01:27:08 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 048821A008B for <dane@ietf.org>; Sun, 27 Dec 2015 01:27:07 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id C80142843A5; Sun, 27 Dec 2015 09:27:06 +0000 (UTC)
Date: Sun, 27 Dec 2015 09:27:06 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20151227092706.GN18704@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/IFV8vPeiDREu2biYWQ2tPluBkfI>
Subject: [dane] DANE TLSA support in OpenSSL 1.1.0 coming soon...
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Dec 2015 09:27:10 -0000
The OpenSSL code for DANE 1.1.0 is done, pending internal team review. I am hoping it will appear in 1.1.0-pre2 in early January. If the review takes too long, it might slip into 1.1.0-pre3 in February. I'm working to avoid that. A quick demo below. Note OpenSSL will *NOT* do the DNS lookups for you. Use a suitable DNS library and feed the validated RRDATA to OpenSSL, which will then use these to validate the peer certificate (with built-in name checks, skipped as required for DANE-EE(3)). [ Bash code for the "danehttps" demo shell function that wraps "openssl s_client" is below my signature): ] # Verisign's "3 0 1" good demo: # $ danehttps good.dane.verisignlabs.com openssl 's_client' '-connect' 'good.dane.verisignlabs.com:443' '-dane_tlsa_domain' 'good.dane.verisignlabs.com' '-dane_tlsa_rrdata' '3 0 1 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC69 33C808D3' DANE TLSA 3 0 1 matched EE certificate at depth 0 Verify return code: 0 (ok) # "3 1 1" from torproject.org for good measure: # $ danehttps torproject.org openssl 's_client' '-connect' 'torproject.org:443' '-dane_tlsa_domain' 'torproject.org' '-dane_tlsa_rrdata' '3 1 1 578582E6B4569A4627AEF5DFE876EEC0539388E605DB170217838B10 D2A58DA5' DANE TLSA 3 1 1 matched EE certificate at depth 0 Verify return code: 0 (ok) # Verisign's "3 0 1" bad hash: # $ danehttps bad-hash.dane.verisignlabs.com openssl 's_client' '-connect' 'bad-hash.dane.verisignlabs.com:443' '-dane_tlsa_domain' 'bad-hash.dane.verisignlabs.com' '-dane_tlsa_rrdata' '3 0 1 99999999999999999999999999999999999999999999999999999999 99999999' Verify return code: 27 (certificate not trusted) # Verisign's unusable TLSA records: # $ danehttps bad-params.dane.verisignlabs.com openssl 's_client' '-connect' 'bad-params.dane.verisignlabs.com:443' '-dane_tlsa_domain' 'bad-params.dane.verisignlabs.com' '-dane_tlsa_rrdata' '3 0 17 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC69 33C808D3' '-dane_tlsa_rrdata' '3 119 1 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC69 33C808D3' '-dane_tlsa_rrdata' '51 0 1 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC69 33C808D3' s_client: warning: unusable TLSA rrdata: 3 0 17 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC69 33C808D3 s_client: warning: unusable TLSA rrdata: 3 119 1 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC69 33C808D3 s_client: warning: unusable TLSA rrdata: 51 0 1 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC69 33C808D3 # It takes an Exim developer to be "man enough" to use non-trivial # chains with DANE and publish multiple TLSA RRs. A non-toy deployment. # $ danehttps www.spodhuis.org openssl 's_client' '-connect' 'www.spodhuis.org:443' '-dane_tlsa_domain' 'www.spodhuis.org' '-dane_tlsa_rrdata' '2 0 1 BDEE0D7C8F9C278F14EA9B6A4F90ED665A9F56DB0A56B1CDDA676591 2F398A5E' '-dane_tlsa_rrdata' '2 0 1 96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0 BDDF08C6' '-dane_tlsa_rrdata' '2 0 1 E4EB54A7FFA552EF64D8E1AE338B69BE909C29E6AF57170A2F6F44DF 225E5A14' '-dane_tlsa_rrdata' '2 0 1 EA99063A0A3BDA9727032CF82DA238698B90BA729300703D39569436 35F96488' DANE TLSA 2 0 1 matched TA certificate at depth 1 Verified peername: www.spodhuis.org Verify return code: 0 (ok) # Doug Barton is is particularly fond of PKIX-EE(1) # $ danehttps dougbarton.us -CAfile /tmp/startcom-root.pem openssl 's_client' '-connect' 'dougbarton.us:443' '-CAfile' '/tmp/sc.pem' '-dane_tlsa_domain' 'dougbarton.us' '-dane_tlsa_rrdata' '1 0 2 437A2A0C21D29C95FA036E982421EAE07FB180935C97D719AEDFAA5E 46FB64AE10C09266A0EC42E5D360785B5233B116F32868DDE7E81B2F BE6870D4B5781C63' DANE TLSA 1 0 2 matched EE certificate at depth 0 Verified peername: dougbarton.us Verify return code: 0 (ok) # Which fails, as it should, if we omit the local PKIX root: # $ danehttps dougbarton.us openssl 's_client' '-connect' 'dougbarton.us:443' '-dane_tlsa_domain' 'dougbarton.us' '-dane_tlsa_rrdata' '1 0 2 437A2A0C21D29C95FA036E982421EAE07FB180935C97D719AEDFAA5E 46FB64AE10C09266A0EC42E5D360785B5233B116F32868DDE7E81B2F BE6870D4B5781C63' Verify return code: 20 (unable to get local issuer certificate) -- Viktor. #! /bin/bash # Uses Bash arrays and local variables danehttps() { local host=$1; shift local args=(s_client -connect "$host:443") args=("${args[@]}" -dane_tlsa_domain "$host") local nlx="$(printf '\nx')" OIFS="$IFS"; IFS="${nlx%x}" rrs=( $( dig +noall +ans +nocl +nottl -t tlsa "_443._tcp.$host." | awk '$2 == "TLSA" {sub(/.*TLSA[^0-9]*/, "", $0); print}' ) ) IFS="$OIFS" for rr in "${rrs[@]}"; do args=("${args[@]}" "-dane_tlsa_rrdata" "$rr") done printf "openssl" for arg in "${args[@]}"; do printf " '%s'" "$arg"; done; echo (printf "HEAD / HTTP/1.0\r\nHost: %s\n" "$host"; sleep 1) | openssl "${args[@]}" 2>&1 | egrep '^ *Verif|^DANE TLSA|: warning:' } danehttps "$1"
- Re: [dane] DANE TLSA support in OpenSSL 1.1.0 com… Viktor Dukhovni
- [dane] DANE TLSA support in OpenSSL 1.1.0 coming … Viktor Dukhovni
- Re: [dane] DANE TLSA support in OpenSSL 1.1.0 com… Wes Hardaker