TLSA Validation Failed
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Jul 14 18:07:35 CEST 2015
On Tue, Jul 14, 2015 at 08:37:10AM +0000, Abdelmeniem Tharwat wrote:
> > > And when I try to execute dig @8.8.8.8 _443._tcp.xn----ymcadjpj1at5o.xn--wgbh1c +dnssec TLSA,
> > > I got the TLSA record that is identical to the hash from crt file.
> >
> > Both are wrong.
> >
> > The correct "3 0 1" TLSA for your server is:
> >
> > _443._tcp.xn----ymcadjpj1at5o.xn--wgbh1c. TLSA 3 0 1 AD562370D03DFBE4EDFC4780A2367C8FD086D8A00D53A80D8EC6A8909D50DA9A
> >
> > What you've published is:
> >
> > _443._tcp.xn----ymcadjpj1at5o.xn--wgbh1c. TLSA 3 0 1 1A70DF05AC43318AB35A16542A8736D077ACE3126FAFE00508EDD7484F293C6C
> >
> > No idea what that is the digest of, but it is not the digest of the DER
> > form of the server certificate.
> You are right, but kindly advice how can I get the TLSA record? I used
>
> openssl x509 -in xn----ymcadjpj1at5o.xn--wgbh1c.registry.crt -outform DER |
> openssl sha256
> (stdin)= 1a70df05ac43318ab35a16542a8736d077ace3126fafe00508edd7484f293c6c
>
> And got what I did add to zone file.
Then the file you used is not the certificate used by the actual
Internet-facing webserver. Perhaps you forgot to reconfigure the
server.
Also, its self-signed certificate has a rather short lifetime, I
would suggest a lifetime of 10 years or more, which is invalidated
by updating the TLSA record, not the underlying expiration.
You might find my "tlsagen" bash script handy.
$ ~/tlsagen xn----ymcadjpj1at5o.xn--wgbh1c.pem xn----ymcadjpj1at5o.xn--wgbh1c:443 3 0 1
_443._tcp.xn----ymcadjpj1at5o.xn--wgbh1c. IN TLSA 3 0 1 AD562370D03DFBE4EDFC4780A2367C8FD086D8A00D53A80D8EC6A8909D50DA9A
--
Viktor.
$ openssl x509 -subject -issuer -dates -sha256 -fingerprint -in xn----ymcadjpj1at5o.xn--wgbh1c.pem
subject= /C=/ST=/L=/O=/OU=/CN=xn----ymcadjpj1at5o.xn--wgbh1c
issuer= /C=/ST=/L=/O=/OU=/CN=xn----ymcadjpj1at5o.xn--wgbh1c
notBefore=Jul 13 16:06:16 2015 GMT
notAfter=Oct 11 16:06:16 2015 GMT
SHA256 Fingerprint=AD:56:23:70:D0:3D:FB:E4:ED:FC:47:80:A2:36:7C:8F:D0:86:D8:A0:0D:53:A8:0D:8E:C6:A8:90:9D:50:DA:9A
-----BEGIN CERTIFICATE-----
MIIDXzCCAkegAwIBAgIEC51NfTANBgkqhkiG9w0BAQsFADBgMQkwBwYDVQQGEwAx
CTAHBgNVBAgTADEJMAcGA1UEBxMAMQkwBwYDVQQKEwAxCTAHBgNVBAsTADEnMCUG
A1UEAxMeeG4tLS0teW1jYWRqcGoxYXQ1by54bi0td2diaDFjMB4XDTE1MDcxMzE2
MDYxNloXDTE1MTAxMTE2MDYxNlowYDEJMAcGA1UEBhMAMQkwBwYDVQQIEwAxCTAH
BgNVBAcTADEJMAcGA1UEChMAMQkwBwYDVQQLEwAxJzAlBgNVBAMTHnhuLS0tLXlt
Y2FkanBqMWF0NW8ueG4tLXdnYmgxYzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKa1ySMr8Zo3GPRS0p52r+h81Kuk9gk0FLtF8rpOU7MX1FJysUI4TU5D
XqGqhXfli+1gBScVKa77KdUyTc1kZMD5auSgDGZqjC7UQgXPkNgrr/pC577TAAqP
qoRgBzjELv6gdVDAbepxc8Sc4IBKkJ4tOMwqwm7cant4/OKex+/0D/B6NuOPim2R
hzTbZ4ZwpvCjgvgEXygbGlaEAg5+nf2exok05l5hVsmJjI0V4dPlSHWSIB+Y2JwG
uS5qudZPm8FahK+btZtFEcQCthsOBwfxgdxB3P9AkbF7IqRCThFtnpZ8Lk6reQpi
Kk41dwKojbRCICPd1rBtyZvwo4AnofMCAwEAAaMhMB8wHQYDVR0OBBYEFHBs6CPM
wQFwfvk7SNmZIbeCANwiMA0GCSqGSIb3DQEBCwUAA4IBAQBWKRRa1MbeFUeBvljN
ISyH0J08Ca3MRn1PMC/qTZy2hc599mSnanHNiaO19PV7KwCqWuw7tkh/v4vpCgfS
3xYcyhBrakqjNenjBNE2Y9FSjg+mscopK4Nx0mnz9cXzWFH6FQ3zbFSomoJHmBKK
yvW0t9l0LGyhLUp7gLrmFNSJ2Fh5CjJbX/zFxaFk5yMToFVOvNakL3Low+tcCaFL
8FfgGpAUJMlYcP54XVoC22N1QLIaJRN6+174xdIX9CGHM7bPiNMBTWY9wCZwQ+Tu
BXBpup6UrH+A4ikdAV+H2HKUwtLOtywjxcpKEPAOmAaGsnt0JwlTNJyyupEO6dCf
3xnY
-----END CERTIFICATE-----
More information about the dane-users
mailing list