TLSA Validation Failed
Mark Elkins
mje at posix.co.za
Tue Jul 14 12:55:03 CEST 2015
I presume he connected to your SSL protected website directly - using
openssl.... (almost a replacement for
"telnet xn----ymcadjpj1at5o.xn--wgbh1c 443")
# openssl s_client -connect xn----ymcadjpj1at5o.xn--wgbh1c:443
Then - echo the server certificate part.... through the commands I gave
earlier....
echo "-----BEGIN CERTIFICATE-----
> MIIDXzCCAkegAwIBAgIEC51NfTANBgkqhkiG9w0BAQsFADBgMQkwBwYDVQQGEwAx
[bit in the middle deleted due to 40K limit of message size]
> BXBpup6UrH+A4ikdAV+H2HKUwtLOtywjxcpKEPAOmAaGsnt0JwlTNJyyupEO6dCf
> 3xnY
> -----END CERTIFICATE-----
> " | openssl x509 -outform DER | openssl sha256
(stdin)=
ad562370d03dfbe4edfc4780a2367c8fd086d8a00d53a80d8ec6a8909d50da9a
or equally do this all in one step - but I think this may actually
"hide" too much of the logic of what happens...
# openssl s_client -connect xn----ymcadjpj1at5o.xn--wgbh1c:443 | openssl
x509 -outform DER | openssl sha256
:-)
On Tue, 2015-07-14 at 10:05 +0000, Abdelmeniem Tharwat wrote:
> Dear Mark ,
> Thanks for your response , actually I am asked about how Viktor generate the TLSA record "The Correct" ? as my problem was in the record
> Generated by openssl command which is like what you sent to me "Same TLSA record".
> It is working now , but may Viktor have a time to send me how he generated the TLSA record ?
> Thanks
--
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
More information about the dane-users
mailing list