[dane] OpenSSL 1.1.0 released, supports DANE TLSA
Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 26 August 2016 16:25 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AEEA12D0E1 for <dane@ietfa.amsl.com>; Fri, 26 Aug 2016 09:25:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9l_rUtddsyTG for <dane@ietfa.amsl.com>; Fri, 26 Aug 2016 09:25:33 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A20AA12D143 for <dane@ietf.org>; Fri, 26 Aug 2016 09:25:33 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 81348284F25; Fri, 26 Aug 2016 16:25:32 +0000 (UTC)
Date: Fri, 26 Aug 2016 16:25:32 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20160826162532.GV4670@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/b_Cx9wniFVtPX6Mh43yCxoRobBU>
Subject: [dane] OpenSSL 1.1.0 released, supports DANE TLSA
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Aug 2016 16:25:36 -0000
For those who might not yet have heard the news, OpenSSL 1.1.0 was
released yesterday and includes support for DANE TLSA authentication.
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_dane_enable.html
https://www.openssl.org/docs/manmaster/apps/s_client.html
Example:
$ PATH=/.../OpenSSL_1_1_0/bin:$PATH
$ dig +short -t mx ietf.org |
while read pref mx; do
mx=${mx%.}
printf "=== %s\n" "$mx"
dig +short -t tlsa "_25._tcp.$mx" |
while read rrdata; do
printf "+++ %s\n" "$rrdata"
(sleep 2; printf "QUIT\r\n" ) |
openssl s_client -brief -starttls smtp -connect "$mx:25" \
-dane_tlsa_domain "$mx" -dane_tlsa_rrdata "$rrdata" \
-dane_ee_no_namechecks
done
done
=== mail.ietf.org
+++ 3 1 1 0C72AC70B745AC19998811B131D662C9AC69DBDBE7CB23E5B514B566 64C5D3D6
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: ECDHE-RSA-AES256-GCM-SHA384
Peer certificate: OU = Domain Control Validated, CN = *.ietf.org
Hash used: SHA512
Verification: OK
Verified peername: *.ietf.org
DANE TLSA 3 1 1 ...e7cb23e5b514b56664c5d3d6 matched EE certificate at depth 0
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Server Temp Key: ECDH, P-256, 256 bits
250 8BITMIME
DONE
--
Viktor.
- [dane] OpenSSL 1.1.0 released, supports DANE TLSA Viktor Dukhovni
- Re: [dane] OpenSSL 1.1.0 released, supports DANE … Garfinkel, Simson L. (Fed)
- Re: [dane] OpenSSL 1.1.0 released, supports DANE … Rene "Renne" Bartsch (rene@bartschnet.de)
- Re: [dane] OpenSSL 1.1.0 released, supports DANE … Viktor Dukhovni