Re: [dane] Two additions to draft-york-dane-deployment-observations-00

Viktor Dukhovni <> Mon, 10 November 2014 18:32 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id F162E1A6FF5 for <>; Mon, 10 Nov 2014 10:32:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id N-PAGRxWBk_B for <>; Mon, 10 Nov 2014 10:32:30 -0800 (PST)
Received: from ( []) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A5AC61A9150 for <>; Mon, 10 Nov 2014 10:30:49 -0800 (PST)
Received: by (Postfix, from userid 1034) id 96D482AB2F4; Mon, 10 Nov 2014 18:30:48 +0000 (UTC)
Date: Mon, 10 Nov 2014 18:30:48 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [dane] Two additions to draft-york-dane-deployment-observations-00
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 10 Nov 2014 18:32:32 -0000

On Mon, Nov 10, 2014 at 08:02:38AM -1000, Shumon Huque wrote:

> There's a slightly newer version of that script in the develop branch:
> Note that this script currently only does usage type 3, and it works for
> services that do SSL first (rather than negotiate STARTTLS). The Python
> M2Crypto SSL interface has some significant limitations. For example, it
> doesn't expose the function to set the TLS SNI extension, so on some
> multihomed servers, the server won't be able to figure out the correct
> certificate to present leading to the script failing the check.

The "swede" code on github, for all its faults, seems to suggest that
M2Crypto does in fact support SNI.

    from M2Crypto import X509, SSL
	connection = SSL.Connection(ctx, sock=sock)
	# Try to use SNI for virtual hosts if available
	    # We don't want the trailing dot here

Perhaps you need a sufficiently new version of the module.

> We have a more complete Python example that additionally does the PKIX-*
> mode checks (0 and 1), and we had slides on that example in our recent
> RIPE69 getdns tutorial (which we ran out of time to present during the
> session itself). I'll work on getting that example posted on the github
> site soon.

The ssl_dane library is easy to embed into Python (perhaps easier
than into Perl).  That may be a good approach, and would support
all the parameter values and other fine details.  It uses OpenSSL
for the underlying non-DANE-specific bits.

Though useful for online validation of peers with which you then
communicate, in test mode it operates "off-line", give it a chain,
TLSA record and a peername list, and it tells you whether the
chain is matched or not.

So you can use any SSL toolkit you want to grab the chain, and the
library then handles the validation.  Only known limitations are
that digest agility currently belongs in the application layer
outside the library and that IDNA hostnames are not yet supported.