[dane] DANE TLSA support in OpenSSL 1.1.0 coming soon...
Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 27 December 2015 09:27 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC3CB1A008E for <dane@ietfa.amsl.com>; Sun, 27 Dec 2015 01:27:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.1
X-Spam-Level:
X-Spam-Status: No, score=0.1 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p29Cq87Mr8QP for <dane@ietfa.amsl.com>; Sun, 27 Dec 2015 01:27:08 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 048821A008B for <dane@ietf.org>; Sun, 27 Dec 2015 01:27:07 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id C80142843A5; Sun, 27 Dec 2015 09:27:06 +0000 (UTC)
Date: Sun, 27 Dec 2015 09:27:06 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20151227092706.GN18704@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/IFV8vPeiDREu2biYWQ2tPluBkfI>
Subject: [dane] DANE TLSA support in OpenSSL 1.1.0 coming soon...
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Dec 2015 09:27:10 -0000
The OpenSSL code for DANE 1.1.0 is done, pending internal team
review. I am hoping it will appear in 1.1.0-pre2 in early January.
If the review takes too long, it might slip into 1.1.0-pre3 in
February. I'm working to avoid that.
A quick demo below. Note OpenSSL will *NOT* do the DNS lookups
for you. Use a suitable DNS library and feed the validated RRDATA
to OpenSSL, which will then use these to validate the peer certificate
(with built-in name checks, skipped as required for DANE-EE(3)).
[ Bash code for the "danehttps" demo shell function that
wraps "openssl s_client" is below my signature): ]
# Verisign's "3 0 1" good demo:
#
$ danehttps good.dane.verisignlabs.com
openssl 's_client' '-connect' 'good.dane.verisignlabs.com:443' '-dane_tlsa_domain' 'good.dane.verisignlabs.com' '-dane_tlsa_rrdata' '3 0 1 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC69 33C808D3'
DANE TLSA 3 0 1 matched EE certificate at depth 0
Verify return code: 0 (ok)
# "3 1 1" from torproject.org for good measure:
#
$ danehttps torproject.org
openssl 's_client' '-connect' 'torproject.org:443' '-dane_tlsa_domain' 'torproject.org' '-dane_tlsa_rrdata' '3 1 1 578582E6B4569A4627AEF5DFE876EEC0539388E605DB170217838B10 D2A58DA5'
DANE TLSA 3 1 1 matched EE certificate at depth 0
Verify return code: 0 (ok)
# Verisign's "3 0 1" bad hash:
#
$ danehttps bad-hash.dane.verisignlabs.com
openssl 's_client' '-connect' 'bad-hash.dane.verisignlabs.com:443' '-dane_tlsa_domain' 'bad-hash.dane.verisignlabs.com' '-dane_tlsa_rrdata' '3 0 1 99999999999999999999999999999999999999999999999999999999 99999999'
Verify return code: 27 (certificate not trusted)
# Verisign's unusable TLSA records:
#
$ danehttps bad-params.dane.verisignlabs.com
openssl 's_client' '-connect' 'bad-params.dane.verisignlabs.com:443' '-dane_tlsa_domain' 'bad-params.dane.verisignlabs.com' '-dane_tlsa_rrdata' '3 0 17 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC69 33C808D3' '-dane_tlsa_rrdata' '3 119 1 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC69 33C808D3' '-dane_tlsa_rrdata' '51 0 1 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC69 33C808D3'
s_client: warning: unusable TLSA rrdata: 3 0 17 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC69 33C808D3
s_client: warning: unusable TLSA rrdata: 3 119 1 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC69 33C808D3
s_client: warning: unusable TLSA rrdata: 51 0 1 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC69 33C808D3
# It takes an Exim developer to be "man enough" to use non-trivial
# chains with DANE and publish multiple TLSA RRs. A non-toy deployment.
#
$ danehttps www.spodhuis.org
openssl 's_client' '-connect' 'www.spodhuis.org:443' '-dane_tlsa_domain' 'www.spodhuis.org' '-dane_tlsa_rrdata' '2 0 1 BDEE0D7C8F9C278F14EA9B6A4F90ED665A9F56DB0A56B1CDDA676591 2F398A5E' '-dane_tlsa_rrdata' '2 0 1 96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0 BDDF08C6' '-dane_tlsa_rrdata' '2 0 1 E4EB54A7FFA552EF64D8E1AE338B69BE909C29E6AF57170A2F6F44DF 225E5A14' '-dane_tlsa_rrdata' '2 0 1 EA99063A0A3BDA9727032CF82DA238698B90BA729300703D39569436 35F96488'
DANE TLSA 2 0 1 matched TA certificate at depth 1
Verified peername: www.spodhuis.org
Verify return code: 0 (ok)
# Doug Barton is is particularly fond of PKIX-EE(1)
#
$ danehttps dougbarton.us -CAfile /tmp/startcom-root.pem
openssl 's_client' '-connect' 'dougbarton.us:443' '-CAfile' '/tmp/sc.pem' '-dane_tlsa_domain' 'dougbarton.us' '-dane_tlsa_rrdata' '1 0 2 437A2A0C21D29C95FA036E982421EAE07FB180935C97D719AEDFAA5E 46FB64AE10C09266A0EC42E5D360785B5233B116F32868DDE7E81B2F BE6870D4B5781C63'
DANE TLSA 1 0 2 matched EE certificate at depth 0
Verified peername: dougbarton.us
Verify return code: 0 (ok)
# Which fails, as it should, if we omit the local PKIX root:
#
$ danehttps dougbarton.us
openssl 's_client' '-connect' 'dougbarton.us:443' '-dane_tlsa_domain' 'dougbarton.us' '-dane_tlsa_rrdata' '1 0 2 437A2A0C21D29C95FA036E982421EAE07FB180935C97D719AEDFAA5E 46FB64AE10C09266A0EC42E5D360785B5233B116F32868DDE7E81B2F BE6870D4B5781C63'
Verify return code: 20 (unable to get local issuer certificate)
--
Viktor.
#! /bin/bash
# Uses Bash arrays and local variables
danehttps() {
local host=$1; shift
local args=(s_client -connect "$host:443")
args=("${args[@]}" -dane_tlsa_domain "$host")
local nlx="$(printf '\nx')"
OIFS="$IFS"; IFS="${nlx%x}"
rrs=( $(
dig +noall +ans +nocl +nottl -t tlsa "_443._tcp.$host." |
awk '$2 == "TLSA" {sub(/.*TLSA[^0-9]*/, "", $0); print}'
) )
IFS="$OIFS"
for rr in "${rrs[@]}"; do
args=("${args[@]}" "-dane_tlsa_rrdata" "$rr")
done
printf "openssl"
for arg in "${args[@]}"; do printf " '%s'" "$arg"; done; echo
(printf "HEAD / HTTP/1.0\r\nHost: %s\n" "$host"; sleep 1) |
openssl "${args[@]}" 2>&1 |
egrep '^ *Verif|^DANE TLSA|: warning:'
}
danehttps "$1"
- Re: [dane] DANE TLSA support in OpenSSL 1.1.0 com… Viktor Dukhovni
- [dane] DANE TLSA support in OpenSSL 1.1.0 coming … Viktor Dukhovni
- Re: [dane] DANE TLSA support in OpenSSL 1.1.0 com… Wes Hardaker