After some perhaps benign neglect, the "danecheck" utility published at:
<https://github.com/vdukhovni/danecheck> has been modernised.
The source is in Haskke, and this update brings up to date with recent
progress in the Haskell toolchain as well improvements over the years
added to its ancestor DANE survey code base from which the one-shot
"danecheck" is a spin-off.
This version no longer depends on the external libicu library, so won't
be broken when that's updated to a later version with a different
SONAME. It now does a better job of presenting non-ASCII certificate
issuer and common names. If interested, see
https://github.com/vdukhovni/danecheck/blob/master/README.md
for installation details. Sample output for "postfix.org" below
my signature.
I can match 2 out of the "3 1 1" records by specifying which of
RSA-based or ECDSA-based signature algorithms to check (it is also
possible to specify both in either order, though often the server
chooses based on its preference order and client's order is ignored).
The CA in the TLSA records isn't an issuer of either the ECDSA or the
RSA certificate. Perhaps vestigial and should be removed?
subject=C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root
G2
issuer=C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
notBefore=Aug 1 12:00:00 2013 GMT
notAfter=Jan 15 12:00:00 2038 GMT
--
Viktor. 🇺🇦 Слава Україні!
------------ ECDSA (client and/or server default)
$ ~/.cabal/bin/danecheck postfix.org ; echo; echo $?
postfix.org. IN MX 10 list.sys4.de. ; NoError AD=1
list.sys4.de. IN A 45.90.5.195 ; NoError AD=1
list.sys4.de. IN AAAA 2a03:4000:20:189::195 ; NoError AD=1
_25._tcp.list.sys4.de. IN TLSA 2 1 1
8bb593a93be1d0e8a822bb887c547890c3e706aad2dab76254f97fb36b82fc26 ; NoError AD=1
_25._tcp.list.sys4.de. IN TLSA 3 1 1
5a5cdb1f9438a36da11e33b31978c4fed0b8996edd2ea2ce206bf9c026c642ad ; NoError AD=1
_25._tcp.list.sys4.de. IN TLSA 3 1 1
ac8c9eb13fcf4f8e9d1ea84b880007cb4ffbf9be30f335b57e5c5a509c5137e4 ; NoError AD=1
_25._tcp.list.sys4.de. IN TLSA 3 1 1
e679f71454654354310785c811bfad1f8c4a2b6863410e4c13a40ab37cb744cf ; NoError AD=1
list.sys4.de[45.90.5.195]: pass: TLSA match: depth = 0, name = list.sys4.de
TLS = TLS1.3 with TLS_AES_256_GCM_SHA384,X25519,PubKeyALG_EC
name = list.sys4.de
depth = 0
Issuer CommonName = E7
Issuer Organization = Let's Encrypt
notBefore = 2026-05-18T02:23:49Z
notAfter = 2026-08-16T02:23:48Z
Subject CommonName = list.sys4.de
pkey sha256 [matched] <- 3 1 1
e679f71454654354310785c811bfad1f8c4a2b6863410e4c13a40ab37cb744cf
depth = 1
Issuer CommonName = ISRG Root X1
Issuer Organization = Internet Security Research Group
notBefore = 2024-03-13T00:00:00Z
notAfter = 2027-03-12T23:59:59Z
Subject CommonName = E7
Subject Organization = Let's Encrypt
pkey sha256 [nomatch] <- 2 1 1
cbbc559b44d524d6a132bdac672744da3407f12aae5d5f722c5f6c7913871c75
list.sys4.de[2a03:4000:20:189::195]: pass: TLSA match: depth = 0, name =
list.sys4.de
TLS = TLS1.3 with TLS_AES_256_GCM_SHA384,X25519,PubKeyALG_EC
name = list.sys4.de
depth = 0
Issuer CommonName = E7
Issuer Organization = Let's Encrypt
notBefore = 2026-05-18T02:23:49Z
notAfter = 2026-08-16T02:23:48Z
Subject CommonName = list.sys4.de
pkey sha256 [matched] <- 3 1 1
e679f71454654354310785c811bfad1f8c4a2b6863410e4c13a40ab37cb744cf
depth = 1
Issuer CommonName = ISRG Root X1
Issuer Organization = Internet Security Research Group
notBefore = 2024-03-13T00:00:00Z
notAfter = 2027-03-12T23:59:59Z
Subject CommonName = E7
Subject Organization = Let's Encrypt
pkey sha256 [nomatch] <- 2 1 1
cbbc559b44d524d6a132bdac672744da3407f12aae5d5f722c5f6c7913871c75
0
------------ RSA
$ ~/.cabal/bin/danecheck --sigalgs rsa postfix.org ; echo; echo $?
postfix.org. IN MX 10 list.sys4.de. ; NoError AD=1
list.sys4.de. IN A 45.90.5.195 ; NoError AD=1
list.sys4.de. IN AAAA 2a03:4000:20:189::195 ; NoError AD=1
_25._tcp.list.sys4.de. IN TLSA 2 1 1
8bb593a93be1d0e8a822bb887c547890c3e706aad2dab76254f97fb36b82fc26 ; NoError AD=1
_25._tcp.list.sys4.de. IN TLSA 3 1 1
5a5cdb1f9438a36da11e33b31978c4fed0b8996edd2ea2ce206bf9c026c642ad ; NoError AD=1
_25._tcp.list.sys4.de. IN TLSA 3 1 1
ac8c9eb13fcf4f8e9d1ea84b880007cb4ffbf9be30f335b57e5c5a509c5137e4 ; NoError AD=1
_25._tcp.list.sys4.de. IN TLSA 3 1 1
e679f71454654354310785c811bfad1f8c4a2b6863410e4c13a40ab37cb744cf ; NoError AD=1
list.sys4.de[45.90.5.195]: pass: TLSA match: depth = 0, name = list.sys4.de
TLS = TLS1.3 with TLS_AES_256_GCM_SHA384,X25519,PubKeyALG_RSA
name = list.sys4.de
depth = 0
Issuer CommonName = R12
Issuer Organization = Let's Encrypt
notBefore = 2026-05-18T02:23:41Z
notAfter = 2026-08-16T02:23:40Z
Subject CommonName = list.sys4.de
pkey sha256 [matched] <- 3 1 1
5a5cdb1f9438a36da11e33b31978c4fed0b8996edd2ea2ce206bf9c026c642ad
depth = 1
Issuer CommonName = ISRG Root X1
Issuer Organization = Internet Security Research Group
notBefore = 2024-03-13T00:00:00Z
notAfter = 2027-03-12T23:59:59Z
Subject CommonName = R12
Subject Organization = Let's Encrypt
pkey sha256 [nomatch] <- 2 1 1
919c0df7a787b597ed056ace654b1de9c0387acf349f73734a4fd7b58cf612a4
list.sys4.de[2a03:4000:20:189::195]: pass: TLSA match: depth = 0, name =
list.sys4.de
TLS = TLS1.3 with TLS_AES_256_GCM_SHA384,X25519,PubKeyALG_RSA
name = list.sys4.de
depth = 0
Issuer CommonName = R12
Issuer Organization = Let's Encrypt
notBefore = 2026-05-18T02:23:41Z
notAfter = 2026-08-16T02:23:40Z
Subject CommonName = list.sys4.de
pkey sha256 [matched] <- 3 1 1
5a5cdb1f9438a36da11e33b31978c4fed0b8996edd2ea2ce206bf9c026c642ad
depth = 1
Issuer CommonName = ISRG Root X1
Issuer Organization = Internet Security Research Group
notBefore = 2024-03-13T00:00:00Z
notAfter = 2027-03-12T23:59:59Z
Subject CommonName = R12
Subject Organization = Let's Encrypt
pkey sha256 [nomatch] <- 2 1 1
919c0df7a787b597ed056ace654b1de9c0387acf349f73734a4fd7b58cf612a4
0
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
