TLSA Validation Failed

Mark Elkins mje at posix.co.za
Tue Jul 14 12:55:03 CEST 2015


I presume he connected to your SSL protected website directly - using
openssl.... (almost a replacement for
   "telnet xn----ymcadjpj1at5o.xn--wgbh1c 443")


# openssl s_client -connect xn----ymcadjpj1at5o.xn--wgbh1c:443

Then - echo the server certificate part.... through the commands I gave
earlier....

echo "-----BEGIN CERTIFICATE-----
> MIIDXzCCAkegAwIBAgIEC51NfTANBgkqhkiG9w0BAQsFADBgMQkwBwYDVQQGEwAx
[bit in the middle deleted due to 40K limit of message size]
> BXBpup6UrH+A4ikdAV+H2HKUwtLOtywjxcpKEPAOmAaGsnt0JwlTNJyyupEO6dCf
> 3xnY
> -----END CERTIFICATE-----
> " | openssl x509 -outform DER  | openssl sha256
(stdin)=
ad562370d03dfbe4edfc4780a2367c8fd086d8a00d53a80d8ec6a8909d50da9a


or equally do this all in one step - but I think this may actually
"hide" too much of the logic of what happens...

# openssl s_client -connect xn----ymcadjpj1at5o.xn--wgbh1c:443 | openssl
x509 -outform DER  | openssl sha256


:-)


On Tue, 2015-07-14 at 10:05 +0000, Abdelmeniem Tharwat wrote:
> Dear Mark ,
> 	Thanks for your response , actually I am asked about how Viktor generate the TLSA record "The Correct" ?  as my problem was in the record
> Generated by openssl command which is like what you sent to me "Same TLSA record".
> It is working now , but may Viktor have a time to send me how he generated the TLSA record ?
> Thanks

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za



More information about the dane-users mailing list