Skip to content
forked from shuque/danetls

Program to test DANE enabled TLS Services

Notifications You must be signed in to change notification settings

wtoorop/danetls

 
 

Repository files navigation

danetls

A program to test DANE enabled TLS services.
Author: Shumon Huque

This program looks up address records and DANE TLSA records for the specified TLS server and port, connects to the server, establishes a TLS session, and attempts to authenticate the server certificate with the DANE TLSA record(s). If no TLSA records are found, it falls back to traditional PKIX authentication. Uses the DANE verification code introduced in OpenSSL 1.1.0-pre2 (released on January 2016) or later.

Command line options can specify whether to do DANE or PKIX modes, an alternate certificate store file, and what STARTTLS application protocol should be used (currently there is STARTTLS support for SMTP and XMPP only - the two most widely deployed DANE STARTTLS applications).

There are two versions of this program. "danetls", which uses ldns to perform the DNS queries, and "danetls-getdns", which uses the getdns library instead. The ldns version assumes the use of validating DNS resolver to which we have a trusted connection, and checks the AD bit in responses from the resolver. The getdns version uses a DNSSEC-aware (but not necessarily DNSSEC-validating) resolver and performs its own validation.

Pre-requisites:

Usage: danetls [options] <hostname> <portnumber>

       -h:             print this help message
       -d:             debug mode
       -n <name>:      service name
       -c <cafile>:    CA file
       -m <dane|pkix>: dane or pkix mode
                       (default is dane & fallback to pkix)
       -s <app>:       use starttls with specified application
                       ('smtp', 'xmpp-client', 'xmpp-server')

Some sample output follows.

Checking the HTTPS service at www.huque.com:

$ danetls www.huque.com 443
Connecting to IPv6 address: 2600:3c03:e000:81::a port 443
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
DANE TLSA 3 1 1 [b760c12119c3...] matched EE certificate at depth 0

Connecting to IPv4 address: 50.116.63.23 port 443
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
DANE TLSA 3 1 1 [b760c12119c3...] matched EE certificate at depth 0

Checking the HTTPS service at www.ietf.org:

$ danetls www.ietf.org 443
Connecting to IPv6 address: 2400:cb00:2048:1::6814:155 port 443
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
DANE TLSA 3 1 1 [0c72ac70b745...] matched EE certificate at depth 0

Connecting to IPv6 address: 2400:cb00:2048:1::6814:55 port 443
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
DANE TLSA 3 1 1 [0c72ac70b745...] matched EE certificate at depth 0

Connecting to IPv4 address: 104.20.0.85 port 443
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
DANE TLSA 3 1 1 [0c72ac70b745...] matched EE certificate at depth 0

Connecting to IPv4 address: 104.20.1.85 port 443
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
DANE TLSA 3 1 1 [0c72ac70b745...] matched EE certificate at depth 0

Checking HTTPS at www.huque.com with additional debugging (-d):

$ danetls -d www.huque.com 443
TLSA records found: 1
TLSA: 3 1 1 b760c12119c388736da724df1224d21dfd23bf03366c286de1a4125369ef7de0

Connecting to IPv6 address: 2600:3c03:e000:81::a port 443
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Certificate chain:
 0 Subject: /C=US/CN=www.huque.com/[email protected]
   Issuer : /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 Subject: /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   Issuer : /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
DANE TLSA 3 1 1 [b760c12119c3...] matched EE certificate at depth 0

Connecting to IPv4 address: 50.116.63.23 port 443
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Certificate chain:
 0 Subject: /C=US/CN=www.huque.com/[email protected]
   Issuer : /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 Subject: /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   Issuer : /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
DANE TLSA 3 1 1 [b760c12119c3...] matched EE certificate at depth 0

Checking the HTTPS server at www.amazon.com (no TLSA records):

$ danetls www.amazon.com 443
No TLSA records found; Performing PKIX-only validation.

Connecting to IPv4 address: 54.239.25.200 port 443
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
Verified peername: www.amazon.com

Checking the SMTP STARTTLS service at openssl.org. (The MX target of this service is mta.openssl.org):

$ danetls -s smtp mta.openssl.org 25
Connecting to IPv6 address: 2001:608:c00:180::1:e6 port 25
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
DANE TLSA 3 1 1 [687c07fbe249...] matched EE certificate at depth 0

Connecting to IPv4 address: 194.97.150.230 port 25
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
DANE TLSA 3 1 1 [687c07fbe249...] matched EE certificate at depth 0

Checking the XMPP (s2s) service at debian.org: (_xmpp-server SRV record points to the host: voler.debian.org)

$ danetls -s xmpp-server -n debian.org vogler.debian.org
Connecting to IPv6 address: 2001:41b8:202:deb:1b1b::92 port 5269
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
DANE TLSA 3 1 1 [bcafdcc89ec7...] matched EE certificate at depth 0

Connecting to IPv4 address: 82.195.75.92 port 5269
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
DANE TLSA 3 1 1 [bcafdcc89ec7...] matched EE certificate at depth 0

Checking with debugging (-d) SMTP service at mail.ietf.org (Prints details of the SMTP conversation prior to TLS):

$ danetls -d -s smtp mail.ietf.org 25
TLSA records found: 1
TLSA: 3 1 1 0c72ac70b745ac19998811b131d662c9ac69dbdbe7cb23e5b514b56664c5d3d6

Connecting to IPv6 address: 2001:1900:3001:11::2c port 25
recv: 220 ietfa.amsl.com ESMTP Postfix
send: EHLO cheetara.huque.com
recv: 250-ietfa.amsl.com
recv: 250-PIPELINING
recv: 250-SIZE 67108864
recv: 250-ETRN
recv: 250-STARTTLS
recv: 250-AUTH PLAIN LOGIN
recv: 250-AUTH=PLAIN LOGIN
recv: 250-ENHANCEDSTATUSCODES
recv: 250 8BITMIME
send: STARTTLS
recv: 220 2.0.0 Ready to start TLS
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Certificate chain:
 0 Subject: /OU=Domain Control Validated/CN=*.ietf.org
   Issuer : /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2
 1 Subject: /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2
   Issuer : /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2
 2 Subject: /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2
   Issuer : /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
 3 Subject: /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
   Issuer : /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
DANE TLSA 3 1 1 [0c72ac70b745...] matched EE certificate at depth 0

Connecting to IPv4 address: 4.31.198.44 port 25
recv: 220 ietfa.amsl.com ESMTP Postfix
send: EHLO cheetara.huque.com
recv: 250-ietfa.amsl.com
recv: 250-PIPELINING
recv: 250-SIZE 67108864
recv: 250-ETRN
recv: 250-STARTTLS
recv: 250-AUTH PLAIN LOGIN
recv: 250-AUTH=PLAIN LOGIN
recv: 250-ENHANCEDSTATUSCODES
recv: 250 8BITMIME
send: STARTTLS
recv: 220 2.0.0 Ready to start TLS
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Certificate chain:
 0 Subject: /OU=Domain Control Validated/CN=*.ietf.org
   Issuer : /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2
 1 Subject: /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2
   Issuer : /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2
 2 Subject: /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2
   Issuer : /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
 3 Subject: /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
   Issuer : /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
DANE TLSA 3 1 1 [0c72ac70b745...] matched EE certificate at depth 0

Checking with debugging (-d) XMPP s2s service at mailbox.org (xmpp.mailbox.org) (Prints details of the SMTP conversation prior to TLS):

$ danetls -d -s xmpp-server -n mailbox.org xmpp.mailbox.org 5269
TLSA records found: 1
TLSA: 3 1 1 4758af6f02dfb5dc8795fa402e77a8a0486af5e85d2ca60c294476aadc40b220

Connecting to IPv4 address: 80.241.60.206 port 5269
send: <?xml version='1.0'?><stream:stream to='mailbox.org' version='1.0' xml:lang='en' xmlns='jabber:server' xmlns:stream='http://etherx.jabber.org/streams'>
recv: <?xml version='1.0'?><stream:stream xmlns:db='jabber:server:dialback' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='mailbox.org' id='113d3aef-7495-4d5b-a030-09885afe3046' to='' xml:lang='en' xmlns='jabber:server'><stream:features><dialback xmlns='urn:xmpp:features:dialback'/><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls></stream:features>
send: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
recv: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Certificate chain:
 0 Subject: /OU=Domain Validated Only/CN=*.mailbox.org
   Issuer : /C=CH/O=SwissSign AG/CN=SwissSign Server Silver CA 2014 - G22
 1 Subject: /C=CH/O=SwissSign AG/CN=SwissSign Server Silver CA 2014 - G22
   Issuer : /C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2
 2 Subject: /C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2
   Issuer : /C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2
DANE TLSA 3 1 1 [4758af6f02df...] matched EE certificate at depth 0

Other modes

TBD ...

About

Program to test DANE enabled TLS Services

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C 74.7%
  • Shell 23.2%
  • Makefile 2.1%