Re: [dane] Meeting at IETF89 (London).
Viktor Dukhovni <viktor1dane@dukhovni.org> Wed, 22 January 2014 20:19 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9727B1A0455 for <dane@ietfa.amsl.com>; Wed, 22 Jan 2014 12:19:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3tVZ6qoHW0ZM for <dane@ietfa.amsl.com>; Wed, 22 Jan 2014 12:19:30 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id CDD9B1A0138 for <dane@ietf.org>; Wed, 22 Jan 2014 12:19:29 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 9761A2AB219; Wed, 22 Jan 2014 20:19:28 +0000 (UTC)
Date: Wed, 22 Jan 2014 20:19:28 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140122201928.GT2317@mournblade.imrryr.org>
References: <CAHw9_iK4sY=Ogy4zMP0XQUu2K1wTDhn67ajXpGQp5iaeBDRuMw@mail.gmail.com> <20140117000402.GU2317@mournblade.imrryr.org> <1D16821E-8200-4937-BDFF-2099B7D20C3B@NLnetLabs.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1D16821E-8200-4937-BDFF-2099B7D20C3B@NLnetLabs.nl>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] Meeting at IETF89 (London).
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2014 20:19:32 -0000
On Wed, Jan 22, 2014 at 09:00:08PM +0100, Olaf Kolkman wrote: > [shameless plug ahead] > > On 17 jan. 2014, at 01:04, Viktor Dukhovni <viktor1dane@dukhovni.org> wrote: > > > /etc/postfix/main.cf: > > # Server TLS > > smtpd_tls_security_level = may > > smtpd_tls_loglevel = 1 > > smtpd_tls_cert_file = ${config_directory}/smtpd-chain.pem > > smtpd_tls_key_file = ${config_directory}/smtpd-key.pem > > smtpd_tls_dh1024_param_file ${config_directory}/dh2048.pem > > smtpd_tls_dh512_param_file ${config_directory}/dh512.pem > > > Of course one should publish the TLSA RR once the server bit has > been configured. Easy generation: Yes, of course. > ldns-dane -c ${config_directory}/smtpd-chain.pem create \ > <mx.example.com> 25 domain-issued full Or the short shell script below my signature, provided OpenSSL is installed and the version is >= 1.0.0. $ tlsagen /usr/pkg/etc/mail-cert.pem mail.example.com:25 dane-ee spki sha2-256 _25._tcp.mail.example.com. IN TLSA 3 1 1 89EF5B500559318251538FB1DA0BD309D38BD021EB0311A3227BE7B331B05BAC -- Viktor. #! /bin/sh extract() { case "$4" in 0) openssl x509 -in "$1" -outform DER;; 1) openssl x509 -in "$1" -noout -pubkey | openssl pkey -pubin -outform DER;; esac } digest() { case "$5" in 0) cat;; 1) openssl dgst -sha256 -binary;; 2) openssl dgst -sha512 -binary;; esac } encode() { perl -e ' ($cert, $hostport, $u, $s, $m) = @ARGV; ($host, $port) = split(":", $hostport); $port ||= 25; $/=undef; ($a=<STDIN>) =~ s/(.)/sprintf("%02X", ord($1))/egs; printf "_%d._tcp.%s. IN TLSA %d %d %d %s\n", $port, $host, $u, $s, $m, $a; ' "$@" } error() { echo "$1" 1>&2; exit 1; } usage() { error "Usage: $0 cert.pem host[:port] usage selector mtype"; } if [ $# -ne 5 ]; then usage; fi case "$(echo $3 | tr '[A-Z]' '[a-z]')" in 0|pkix-[ct]a) usage=0;; 1|pkix-ee) usage=1;; 2|dane-[ct]a) usage=2;; 3|dane-ee) usage=3;; *) error "Invalid certificate usage: $3";; esac case "$(echo $4 | tr '[A-Z]' '[a-z]')" in 0|cert) selector=0;; 1|spki|pkey) selector=1;; *) error "Invalid selector: $4";; esac case "$(echo $5 | tr '[A-Z]' '[a-z]')" in 0|full) mtype=0;; 1|sha2-256|sha256|sha-256) mtype=1;; 2|sha2-512|sha512|sha-512) mtype=2;; *) error "Invalid matching type: $5";; esac set -- "$1" "$2" "$usage" "$selector" "$mtype" extract "$@" | digest "$@" | encode "$@"
- [dane] Meeting at IETF89 (London). Warren Kumari
- Re: [dane] Meeting at IETF89 (London). Viktor Dukhovni
- Re: [dane] Meeting at IETF89 (London). Warren Kumari
- Re: [dane] Meeting at IETF89 (London). Peter Saint-Andre
- Re: [dane] Meeting at IETF89 (London). Olaf Kolkman
- Re: [dane] Meeting at IETF89 (London). Viktor Dukhovni
- Re: [dane] Meeting at IETF89 (London). Wes Hardaker