Wildcard certificate and DANE/TLSA records

zorion zorion at autistici.org
Mon Dec 31 18:52:38 CET 2018 

Hello,

I'm working with a wildcard certificate[0] for a domain that I'm trying
to add dane/tlsa records. There are a series of MX servers that use this
certificate and I thought that I could put the specific name of the
server into the TLSA record and that would work, but when I try to test
that with one of the testers online, they fail to verify it, I think
because there is no specific match to the name.

For example, I made these records using the certificate chain for the
input to danetool:

danetool --tlsa-rr --host mx1.riseup.net --load-certificate
./wildcard_server_chain.pem --app-proto=smtp --ca --x509

_25._tcp.mx1.riseup.net. IN CNAME tlsa._mxdane.riseup.net.
tlsa._mxdane.riseup.net. IN TLSA ( 02 00 01
3814e3eaf91e30451790697a98b1b5594cdbdfef4a73ef5a47ed33c556816645 )

But when I try to test that, I get:

#################################################################
### CHECKING MX HOST: mx1.riseup.net
#################################################################

TLSA records found: 1
TLSA: 2 0 1 3814e3eaf91e30451790697a98b1b5594cdbdfef4a73ef5a47ed33c556816645

Connecting to IPv4 address: 198.252.153.129 port 25
recv: 220-mx1.riseup.net ESMTP (spam is not appreciated)
recv: 220 mx1.riseup.net ESMTP (spam is not appreciated)
send: EHLO cheetara.huque.com
recv: 250-mx1.riseup.net
recv: 250-PIPELINING
recv: 250-SIZE 25600000
recv: 250-ETRN
recv: 250-STARTTLS
recv: 250-ENHANCEDSTATUSCODES
recv: 250-8BITMIME
recv: 250 DSN
send: STARTTLS
recv: 220 2.0.0 Ready to start TLS
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Peer Certificate chain:
 0 Subject CN: *.riseup.net
   Issuer  CN: COMODO RSA Domain Validation Secure Server CA
 1 Subject CN: COMODO RSA Domain Validation Secure Server CA
   Issuer  CN: COMODO RSA Certification Authority
 2 Subject CN: COMODO RSA Certification Authority
   Issuer  CN: AddTrust External CA Root
 3 Subject CN: AddTrust External CA Root
   Issuer  CN: AddTrust External CA Root
 SAN dNSName: *.riseup.net
 SAN dNSName: riseup.net
Error: peer authentication failed. rc=65 (No matching DANE TLSA records)

[2] Authentication failed for all (1) peers.

I suspect this is because the SAN dNSName does not specify
mx1.riseup.net? I cannot find any specific details for how wildcards are
handled in the RFCs.

Did I define the record incorrectly, or generate the hash over the wrong
pieces? I thought maybe it was because I used the PEM encoded cert
chain, but its not possible to generate a DER when the input is a
multiple cert file.

Thanks for any help!


0. yes, I am aware of why wildcards are discouraged, but this is what I
have to work with here.

More information about the dane-users mailing list