[dane] DANE XMPP s2s implementation

Kim Alvefur <zash@zash.se> Mon, 10 March 2014 14:50 UTC

Return-Path: <zash@zash.se>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 9850F1A043E for <dane@ietfa.amsl.com>; Mon, 10 Mar 2014 07:50:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Rd2AH6IJuB4b for <dane@ietfa.amsl.com>; Mon, 10 Mar 2014 07:50:28 -0700 (PDT)
Received: from mail.zash.se (ip66.hethane.riksnet.nu []) by ietfa.amsl.com (Postfix) with ESMTP id B31D01A0434 for <dane@ietf.org>; Mon, 10 Mar 2014 07:50:28 -0700 (PDT)
Received: from [IPv6:2001:16d8:ffc6:0:b1f7:63b9:e8ad:8e70] (unknown [IPv6:2001:16d8:ffc6:0:b1f7:63b9:e8ad:8e70]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: zash) by mail.zash.se (Postfix) with ESMTPSA id C3A5560C58 for <dane@ietf.org>; Mon, 10 Mar 2014 15:50:20 +0100 (CET)
Message-ID: <531DD129.9020305@zash.se>
Date: Mon, 10 Mar 2014 15:50:17 +0100
From: Kim Alvefur <zash@zash.se>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: DANE WG <dane@ietf.org>
X-Enigmail-Version: 1.6
OpenPGP: id=B67AD329; url=http://zash.se/~zash/pubkey.asc
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="roirl2E1sq07wHlWaXKMdtXvuK34ditu3"
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/VKUt-9_4xERcMPd9P86tdALm-eE
Subject: [dane] DANE XMPP s2s implementation
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Mar 2014 14:50:30 -0000


Everyone back (and recovered) from IETF89?  Much interesting, such
people, very discussions, wow.

So I have an experimental DANE implementation for server-to-server
connections in the Prosody XMPP server.

It's currently only doing DANE-EE and PKIX-EE.  The TA variants are
trickier, especially DANE-TA, so I have left them out for now.  LuaSec,
the OpenSSL to Lua binding we use, doesn't currently expose anything for
validating some random chain.

It also includes an attempt at doing something for authenticating the
client certificate on incoming connections, by looking for a TLSA record
at the same name as for SRV, eg _xmpp-server._tcp.example.com.  Comments
about this would be appreciated.

Info: http://code.google.com/p/prosody-modules/wiki/mod_s2s_auth_dane

Kim "Zash" Alvefur