On Tue, Feb 11, 2025 at 01:06:02AM -0800, Dan Mahoney wrote:
> >
> > https://list.sys4.de/hyperkitty/list/[email protected]/thread/NKDBQABSTAAWLTHSZKC7P3HALF7VE5QY/
>
> Followon question, related to openSSL versus Postfix, but relevant for those
> of us trying to understand the monitoring.
>
> So we check DANE using s_client -starttls smtp -connect $host:25
> -verify 9 -verify_return_error -dane_ee_no_namechecks
> -dane_tlsa_domain $host -dane_tlsa_rrdata $rr
Yes.
> And if we parse the output, the two lines in the output we’re looking for are:
No, you look at the function's return code! The out is just diagnostic
info to help understand the return code result.
> (Plus the openssl exit code of zero).
That's the output you need pay attention to.
> Correct? Is either of these more “canonical" than the others? (I
> know that for different values in the TLSA record, the text won’t be
> exactly that).
The return code is one that matters.
> Is there some reason that the TLSA record openssl prints is shortened?
> There are definitely longer lines in the openssl output, such as
> "Resumption PSK”, so it’s not like OpenSSL has an arbitrary
> wrap-length.
Because with a full certificate it can be multiple kilobytes.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
