IETF Logo Mail Archive

Re: [dane] Two additions to draft-york-dane-deployment-observations-00

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 10 November 2014 18:32 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F162E1A6FF5 for <dane@ietfa.amsl.com>; Mon, 10 Nov 2014 10:32:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N-PAGRxWBk_B for <dane@ietfa.amsl.com>; Mon, 10 Nov 2014 10:32:30 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5AC61A9150 for <dane@ietf.org>; Mon, 10 Nov 2014 10:30:49 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 96D482AB2F4; Mon, 10 Nov 2014 18:30:48 +0000 (UTC)
Date: Mon, 10 Nov 2014 18:30:48 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141110183048.GH161@mournblade.imrryr.org>
References: <20141107232915.GA31913@laperouse.bortzmeyer.org> <6DB8CC95-E47A-4C0B-BC0B-7D9A4F8F65B5@edvina.net> <20141109035925.GA20946@laperouse.bortzmeyer.org> <545EE86E.9050007@gmail.com> <CAHPuVdUzMkCKL9hcXE7eQ2NXVAFO=SAHHsqgy7xXSotsd5bdCA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAHPuVdUzMkCKL9hcXE7eQ2NXVAFO=SAHHsqgy7xXSotsd5bdCA@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/MRi4nydlEITo91ucVS_mLhefuqI
Subject: Re: [dane] Two additions to draft-york-dane-deployment-observations-00
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Nov 2014 18:32:32 -0000

On Mon, Nov 10, 2014 at 08:02:38AM -1000, Shumon Huque wrote:

> There's a slightly newer version of that script in the develop branch:
> 
> https://github.com/getdnsapi/getdns-python-bindings/blob/develop/examples/checkdanecert.py
> 
> Note that this script currently only does usage type 3, and it works for
> services that do SSL first (rather than negotiate STARTTLS). The Python
> M2Crypto SSL interface has some significant limitations. For example, it
> doesn't expose the function to set the TLS SNI extension, so on some
> multihomed servers, the server won't be able to figure out the correct
> certificate to present leading to the script failing the check.

The "swede" code on github, for all its faults, seems to suggest that
M2Crypto does in fact support SNI.


    from M2Crypto import X509, SSL
	...
	connection = SSL.Connection(ctx, sock=sock)
	# Try to use SNI for virtual hosts if available
	try:
	    # We don't want the trailing dot here
	    connection.set_tlsext_host_name(args.host[:-1])

Perhaps you need a sufficiently new version of the module.

> We have a more complete Python example that additionally does the PKIX-*
> mode checks (0 and 1), and we had slides on that example in our recent
> RIPE69 getdns tutorial (which we ran out of time to present during the
> session itself). I'll work on getting that example posted on the github
> site soon.

The ssl_dane library is easy to embed into Python (perhaps easier
than into Perl).  That may be a good approach, and would support
all the parameter values and other fine details.  It uses OpenSSL
for the underlying non-DANE-specific bits.

Though useful for online validation of peers with which you then
communicate, in test mode it operates "off-line", give it a chain,
TLSA record and a peername list, and it tells you whether the
chain is matched or not.

So you can use any SSL toolkit you want to grab the chain, and the
library then handles the validation.  Only known limitations are
that digest agility currently belongs in the application layer
outside the library and that IDNA hostnames are not yet supported.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email