Re: [dnssec-validator-users] Wrong TLSA report?

Mon, 15 Dec 2014 04:33:03 -0800 

Hello Peter,

the page https://check.sidnlabs.nl/dane/ also fails to validate
mijn.iaf.nl .

We think that the problem is related to SNI (Server Name Indication). If
we manually disable SNI then the validation succeeds.

With SNI we get a cert chain starting with:
Data:
        Version: 3 (0x2)
        Serial Number: 147790 (0x2414e)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class
3 Root
        Validity
            Not Before: Aug 10 08:25:02 2014 GMT
            Not After : Aug  9 08:25:02 2016 GMT
        Subject: C=NL, ST=Overijssel, L=Enschede, O=Internet Access
Facilities BV, CN=service.iaf.nl
...

With SNI disabled we get:
Data:
        Version: 3 (0x2)
        Serial Number: 138082 (0x21b62)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class
3 Root
        Validity
            Not Before: Jan 10 15:08:01 2014 GMT
            Not After : Jan 10 15:08:01 2016 GMT
        Subject: C=NL, ST=Overijssel, L=Enschede, O=Internet Access
Facilities BV, CN=*.iaf.nl
...

Those are two different chains. There is an issue with your server's
configuration. The server is sending a certificate chain that cannot be
successfully validated if we use SNI.

K.

Am 13.12.2014 um 12:30 schrieb Peter Peters:
> Hi,
> 
> I am using *DNSSEC/TLSA Validator *version 2.2.0.1 on Firefox 34.0.5. I
> am checking the URL https://mijn.iaf.nl/. This site is signed with a
> CAcert certificate. The root certificate is loaded into the browser so
> it has no problem with the site.
> 
> I get a red padlock for this site. Examination of the TLSA record shows
> no problem. Checking the site with
> https://www.had-pilot.com/dane/danelaw.html shows the TLSA record is
> correct.
> 
> I tried changing the configuration of the plug-in to use different
> nameservers but that doesn't give any other result.
> 
> Information from our nameserver:
> # host -t TLSA /443./tcp.mijn.iaf.nl <http://tcp.mijn.iaf.nl>
> /443./tcp.mijn.iaf.nl <http://tcp.mijn.iaf.nl> has TLSA record 3 0 1
> 58D8B8E4F119125B1705B0CB8EDB623C4AE355984758F9E1E2B4439E 2E300C6F
> 
> I don't know whether it makes a difference which certificate (root or
> site) is used in the TLSA record. I noticed you have a TLSA record with
> "0 1 1" as this site has "3 0 1". We also tested with "3 1 1", but that
> didn't result in a green padlock either.
> 
> Greetings
> Peter Peters
> 
> 
> _______________________________________________
> dnssec-validator-users mailing list
> [email protected]
> https://lists.nic.cz/cgi-bin/mailman/listinfo/dnssec-validator-users
> 

_______________________________________________
dnssec-validator-users mailing list
[email protected]
https://lists.nic.cz/cgi-bin/mailman/listinfo/dnssec-validator-users

Reply via email to