[dane] DANE TLSA support in OpenSSL 1.1.0 coming soon...

[Viktor Dukhovni]

The OpenSSL code for DANE 1.1.0 is done, pending internal team
review.  I am hoping it will appear in 1.1.0-pre2 in early January.
If the review takes too long, it might slip into 1.1.0-pre3 in
February.  I'm working to avoid that.  

A quick demo below.  Note OpenSSL will *NOT* do the DNS lookups
for you.  Use a suitable DNS library and feed the validated RRDATA
to OpenSSL, which will then use these to validate the peer certificate
(with built-in name checks, skipped as required for DANE-EE(3)).

        [ Bash code for the "danehttps" demo shell function that
          wraps "openssl s_client" is below my signature): ]

    # Verisign's "3 0 1" good demo:
    #
    $ danehttps good.dane.verisignlabs.com
    openssl 's_client' '-connect' 'good.dane.verisignlabs.com:443' 
'-dane_tlsa_domain' 'good.dane.verisignlabs.com' '-dane_tlsa_rrdata' '3 0 1 
0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC69 33C808D3'
    DANE TLSA 3 0 1 matched EE certificate at depth 0
        Verify return code: 0 (ok)

    # "3 1 1" from torproject.org for good measure:
    #
    $ danehttps torproject.org
    openssl 's_client' '-connect' 'torproject.org:443' '-dane_tlsa_domain' 
'torproject.org' '-dane_tlsa_rrdata' '3 1 1 
578582E6B4569A4627AEF5DFE876EEC0539388E605DB170217838B10 D2A58DA5'
    DANE TLSA 3 1 1 matched EE certificate at depth 0
        Verify return code: 0 (ok)

    # Verisign's "3 0 1" bad hash:
    #
    $ danehttps bad-hash.dane.verisignlabs.com
    openssl 's_client' '-connect' 'bad-hash.dane.verisignlabs.com:443' 
'-dane_tlsa_domain' 'bad-hash.dane.verisignlabs.com' '-dane_tlsa_rrdata' '3 0 1 
99999999999999999999999999999999999999999999999999999999 99999999'
        Verify return code: 27 (certificate not trusted)

    # Verisign's unusable TLSA records:
    #
    $ danehttps bad-params.dane.verisignlabs.com
    openssl 's_client' '-connect' 'bad-params.dane.verisignlabs.com:443' 
'-dane_tlsa_domain' 'bad-params.dane.verisignlabs.com' '-dane_tlsa_rrdata' '3 0 
17 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC69 33C808D3' 
'-dane_tlsa_rrdata' '3 119 1 
0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC69 33C808D3' 
'-dane_tlsa_rrdata' '51 0 1 
0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC69 33C808D3'
    s_client: warning: unusable TLSA rrdata: 3 0 17 
0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC69 33C808D3
    s_client: warning: unusable TLSA rrdata: 3 119 1 
0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC69 33C808D3
    s_client: warning: unusable TLSA rrdata: 51 0 1 
0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC69 33C808D3

    # It takes an Exim developer to be "man enough" to use non-trivial
    # chains with DANE and publish multiple TLSA RRs.  A non-toy deployment.
    #
    $ danehttps www.spodhuis.org
    openssl 's_client' '-connect' 'www.spodhuis.org:443' '-dane_tlsa_domain' 
'www.spodhuis.org' '-dane_tlsa_rrdata' '2 0 1 
BDEE0D7C8F9C278F14EA9B6A4F90ED665A9F56DB0A56B1CDDA676591 2F398A5E' 
'-dane_tlsa_rrdata' '2 0 1 
96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0 BDDF08C6' 
'-dane_tlsa_rrdata' '2 0 1 
E4EB54A7FFA552EF64D8E1AE338B69BE909C29E6AF57170A2F6F44DF 225E5A14' 
'-dane_tlsa_rrdata' '2 0 1 
EA99063A0A3BDA9727032CF82DA238698B90BA729300703D39569436 35F96488'
    DANE TLSA 2 0 1 matched TA certificate at depth 1
    Verified peername: www.spodhuis.org
        Verify return code: 0 (ok)

    # Doug Barton is is particularly fond of PKIX-EE(1)
    #
    $ danehttps dougbarton.us -CAfile /tmp/startcom-root.pem
    openssl 's_client' '-connect' 'dougbarton.us:443' '-CAfile' '/tmp/sc.pem' 
'-dane_tlsa_domain' 'dougbarton.us' '-dane_tlsa_rrdata' '1 0 2 
437A2A0C21D29C95FA036E982421EAE07FB180935C97D719AEDFAA5E 
46FB64AE10C09266A0EC42E5D360785B5233B116F32868DDE7E81B2F BE6870D4B5781C63'
    DANE TLSA 1 0 2 matched EE certificate at depth 0
    Verified peername: dougbarton.us
        Verify return code: 0 (ok)

    # Which fails, as it should, if we omit the local PKIX root:
    #
    $ danehttps dougbarton.us
    openssl 's_client' '-connect' 'dougbarton.us:443' '-dane_tlsa_domain' 
'dougbarton.us' '-dane_tlsa_rrdata' '1 0 2 
437A2A0C21D29C95FA036E982421EAE07FB180935C97D719AEDFAA5E 
46FB64AE10C09266A0EC42E5D360785B5233B116F32868DDE7E81B2F BE6870D4B5781C63'
        Verify return code: 20 (unable to get local issuer certificate)

-- 
        Viktor.

#! /bin/bash

# Uses Bash arrays and local variables

danehttps() {
    local host=$1; shift
    local args=(s_client -connect "$host:443")
    args=("${args[@]}" -dane_tlsa_domain "$host")

    local nlx="$(printf '\nx')"
    OIFS="$IFS"; IFS="${nlx%x}"
    rrs=( $(
        dig +noall +ans +nocl +nottl -t tlsa "_443._tcp.$host." |
            awk '$2 == "TLSA" {sub(/.*TLSA[^0-9]*/, "", $0); print}'
        ) )
    IFS="$OIFS"
    for rr in "${rrs[@]}"; do
       args=("${args[@]}" "-dane_tlsa_rrdata" "$rr")
    done

    printf "openssl"
    for arg in "${args[@]}"; do printf " '%s'" "$arg"; done; echo
    (printf "HEAD / HTTP/1.0\r\nHost: %s\n" "$host"; sleep 1) |
        openssl "${args[@]}" 2>&1 |
        egrep '^ *Verif|^DANE TLSA|: warning:'
}

danehttps "$1"

_______________________________________________
dane mailing list
dane@ietf.org
https://www.ietf.org/mailman/listinfo/dane