Re: [dane] Two additions to draft-york-dane-deployment-observations-00

Shumon Huque <shuque@gmail.com> Mon, 10 November 2014 19:20 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86BC01AC3F0 for <dane@ietfa.amsl.com>; Mon, 10 Nov 2014 11:20:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LIcxPJz-W50m for <dane@ietfa.amsl.com>; Mon, 10 Nov 2014 11:20:32 -0800 (PST)
Received: from mail-ie0-x233.google.com (mail-ie0-x233.google.com [IPv6:2607:f8b0:4001:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E10DF1AC3B5 for <dane@ietf.org>; Mon, 10 Nov 2014 11:20:31 -0800 (PST)
Received: by mail-ie0-f179.google.com with SMTP id rl12so10024182iec.10 for <dane@ietf.org>; Mon, 10 Nov 2014 11:20:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:content-type; bh=/dieWd8vEI/B2zaGg8Q/pJuJq4yV8ugWlUKiud7ghdc=; b=ITQIHBqL9IpFQvkuuiefuOTjYumL17GoeGVpxL2kVkA8OctWgzDGquwXBDQApgPb/p 11Em5hvojYODIuckjbk8rqeS79EslUc2Tbz1WkXOW5HJaIPoIHDc1jcJRLS5G7hZ0L/P 2x/uaAVV3Pw3TrusamrX5C/IzJfLFr6q/qpo+AcTwQYaZq7eZLkiB7tJa9C2rKBXmjUB FwPRepbdrS7JCX2XhBQ5m7zb1FNzibTF2j+TFXHOawtUE8dFViJdPCz5/Zl3NunJPCVh 4lune3z82d4mEY05R7i8zpY8rrQ28N9LLO/8ytxTeusWjEpXghu0QVL7L9CkeLBMmSTR 6O3A==
MIME-Version: 1.0
X-Received: by 10.50.43.167 with SMTP id x7mr27099498igl.41.1415647231095; Mon, 10 Nov 2014 11:20:31 -0800 (PST)
Received: by 10.64.225.197 with HTTP; Mon, 10 Nov 2014 11:20:31 -0800 (PST)
In-Reply-To: <20141110183048.GH161@mournblade.imrryr.org>
References: <20141107232915.GA31913@laperouse.bortzmeyer.org> <6DB8CC95-E47A-4C0B-BC0B-7D9A4F8F65B5@edvina.net> <20141109035925.GA20946@laperouse.bortzmeyer.org> <545EE86E.9050007@gmail.com> <CAHPuVdUzMkCKL9hcXE7eQ2NXVAFO=SAHHsqgy7xXSotsd5bdCA@mail.gmail.com> <20141110183048.GH161@mournblade.imrryr.org>
Date: Mon, 10 Nov 2014 09:20:31 -1000
Message-ID: <CAHPuVdVsCnuyBJZ-es1UQW0bmaKBFqvbnYc8+9z6135Of7jbrg@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
To: dane@ietf.org
Content-Type: multipart/alternative; boundary=089e011602b2563b6b0507860e69
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/LpAFJbSvC0LLWRSqHlzD0YN-NwI
Subject: Re: [dane] Two additions to draft-york-dane-deployment-observations-00
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: shuque@gmail.com
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Nov 2014 19:20:34 -0000

On Mon, Nov 10, 2014 at 8:30 AM, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> On Mon, Nov 10, 2014 at 08:02:38AM -1000, Shumon Huque wrote:
>
> > There's a slightly newer version of that script in the develop branch:
> >
> >
> https://github.com/getdnsapi/getdns-python-bindings/blob/develop/examples/checkdanecert.py
> >
> > Note that this script currently only does usage type 3, and it works for
> > services that do SSL first (rather than negotiate STARTTLS). The Python
> > M2Crypto SSL interface has some significant limitations. For example, it
> > doesn't expose the function to set the TLS SNI extension, so on some
> > multihomed servers, the server won't be able to figure out the correct
> > certificate to present leading to the script failing the check.
>
> The "swede" code on github, for all its faults, seems to suggest that
> M2Crypto does in fact support SNI.
>
>
>     from M2Crypto import X509, SSL
>         ...
>         connection = SSL.Connection(ctx, sock=sock)
>         # Try to use SNI for virtual hosts if available
>         try:
>             # We don't want the trailing dot here
>             connection.set_tlsext_host_name(args.host[:-1])
>
> Perhaps you need a sufficiently new version of the module.
>

The latest official release of M2Crypto doesn't support it (there is a long
standing unaddressed bug report filed on the topic). Some OS distributions
however (such as Fedora) have local patches that add it.

My code currently does this (use it if available):

        # set TLS SNI extension if available in M2Crypto on this platform
        # Note: the official M2Crypto release does not yet (as of late 2014)
        # have support for SNI, sigh, but patches exist.
        try:
            connection.set_tlsext_host_name(hostname)
        except AttributeError:
            pass

The Fedora patch also does it incompletely. It allows you to call the
function and set the SNI extension but then doesn't use it properly in
hostname matching checks (e.g. if you explicitly connect to an IP address
it will complain).


>
> > We have a more complete Python example that additionally does the PKIX-*
> > mode checks (0 and 1), and we had slides on that example in our recent
> > RIPE69 getdns tutorial (which we ran out of time to present during the
> > session itself). I'll work on getting that example posted on the github
> > site soon.
>
> The ssl_dane library is easy to embed into Python (perhaps easier
> than into Perl).  That may be a good approach, and would support
> all the parameter values and other fine details.  It uses OpenSSL
> for the underlying non-DANE-specific bits.
>

Thanks for the pointer. I'll take a look at ssl_dane.

--Shumon.