[dane] DANE XMPP s2s implementation
Kim Alvefur <zash@zash.se> Mon, 10 March 2014 14:50 UTC
Return-Path: <zash@zash.se>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9850F1A043E for <dane@ietfa.amsl.com>; Mon, 10 Mar 2014 07:50:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rd2AH6IJuB4b for <dane@ietfa.amsl.com>; Mon, 10 Mar 2014 07:50:28 -0700 (PDT)
Received: from mail.zash.se (ip66.hethane.riksnet.nu [85.11.25.66]) by ietfa.amsl.com (Postfix) with ESMTP id B31D01A0434 for <dane@ietf.org>; Mon, 10 Mar 2014 07:50:28 -0700 (PDT)
Received: from [IPv6:2001:16d8:ffc6:0:b1f7:63b9:e8ad:8e70] (unknown [IPv6:2001:16d8:ffc6:0:b1f7:63b9:e8ad:8e70]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: zash) by mail.zash.se (Postfix) with ESMTPSA id C3A5560C58 for <dane@ietf.org>; Mon, 10 Mar 2014 15:50:20 +0100 (CET)
Message-ID: <531DD129.9020305@zash.se>
Date: Mon, 10 Mar 2014 15:50:17 +0100
From: Kim Alvefur <zash@zash.se>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: DANE WG <dane@ietf.org>
X-Enigmail-Version: 1.6
OpenPGP: id=B67AD329; url=http://zash.se/~zash/pubkey.asc
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="roirl2E1sq07wHlWaXKMdtXvuK34ditu3"
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/VKUt-9_4xERcMPd9P86tdALm-eE
Subject: [dane] DANE XMPP s2s implementation
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Mar 2014 14:50:30 -0000
Hi, Everyone back (and recovered) from IETF89? Much interesting, such people, very discussions, wow. So I have an experimental DANE implementation for server-to-server connections in the Prosody XMPP server. It's currently only doing DANE-EE and PKIX-EE. The TA variants are trickier, especially DANE-TA, so I have left them out for now. LuaSec, the OpenSSL to Lua binding we use, doesn't currently expose anything for validating some random chain. It also includes an attempt at doing something for authenticating the client certificate on incoming connections, by looking for a TLSA record at the same name as for SRV, eg _xmpp-server._tcp.example.com. Comments about this would be appreciated. Info: http://code.google.com/p/prosody-modules/wiki/mod_s2s_auth_dane Code: http://code.google.com/p/prosody-modules/source/browse/mod_s2s_auth_dane/mod_s2s_auth_dane.lua -- Regards, Kim "Zash" Alvefur
- [dane] DANE XMPP s2s implementation Kim Alvefur
- Re: [dane] DANE XMPP s2s implementation Viktor Dukhovni