Combining certificates to a chain file:
[root@localhost certs]# cd /etc/pki/tls/certs
[root@localhost certs]# openssl x509 -inform PEM -in www.2.0.0.example.com -text > www.2.0.0.example.com-combined.crt
[root@localhost certs]# openssl x509 -inform PEM -in cacert.pem -text >> www.2.0.0.example.com-combined.crt
<VirtualHost 172.16.52.182:443>
SSLEngine on
SSLCertificateChainFile /etc/pki/tls/certs/www.2.0.0.example.com-combined.crt
SSLCertificateFile /etc/pki/tls/certs/www.2.0.0.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.2.0.0.example.com.key
<Directory /var/www/vhosts/example.com/httpsdocs>
AllowOverride All
</Directory>
DocumentRoot /var/www/vhosts/example.com/httpsdocs
ServerName www.2.0.0.example.com
</VirtualHost>
Monday, December 26, 2011
Thursday, December 8, 2011
Decrypt private key and install certificate
[root@localhost tls]# openssl rsa -in /root/newkey.pem -out private/www.example.com.keyEnter pass phrase for /root/newkey.pem:
writing RSA key
[root@localhost tls]# openssl x509 -in /root/newcert.pem -out certs/www.example.com.crt
mv: overwrite `certs/www.example.com.crt'? y
[root@localhost tls]# pwd
/etc/pki/tls
writing RSA key
[root@localhost tls]# openssl x509 -in /root/newcert.pem -out certs/www.example.com.crt
mv: overwrite `certs/www.example.com.crt'? y
[root@localhost tls]# pwd
/etc/pki/tls
Creating TLSA records from the new certificate
Hats off to Jakob Schlyter for providing the perl script that generates a TLSA record from the certificate:
$ ../src/cert2rr.pl www.example.com 1 0 0 demoCA/cacert.pem
; Selected 755 bytes of data from demoCA/cacert.pem
; TLSA resource record:
;
www.example.com. IN TLSA 1 0 0 308202ef30820258a0030201020209009a0a7ecab015ea56300d06092a864886f70d01010505003059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e301e170d3131313230393033303535385a170d3134313230383033303535385a3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e30819f300d06092a864886f70d010101050003818d0030818902818100d0e03624b35367095e40abc3485edf10b12e049bfcf384edccc945fca4cce3ac58132fedac355d7a327ccec9d4c473bb49e20822aa5e24b37ea1cf52206054bf43855f895de519b6f19496ad003d8fde9644dd143bc9ae7580e538ef0bd62bef682d2846c6b9c79194f337630ee7535f701c346682df5cd978b8fdce4bb5761f0203010001a381be3081bb301d0603551d0e0416041464e15937d9a5180d3c63fb73a250d4d7a012b49430818b0603551d23048183308180801464e15937d9a5180d3c63fb73a250d4d7a012b494a15da45b3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e8209009a0a7ecab015ea56300c0603551d13040530030101ff300d06092a864886f70d01010505000381810017c156226f07b10f6434be97cecf132726f0dfb54c6cb5fb15bd4ba181e185304d00a466528dc5b95e2091c4d52c9f921e7a52e3b9fd82a453f47e54bee10d3b0d7043fe85d0a6eba56628ff8afc11c42f5e8f8d0ed49f8d19019f5a22b98d6043c6bfc3d7ba047881b64ec72e2b108137e7a70cd9a78792eb792f5be3138c09
; Unknown resource record:
;
www.example.com. IN TYPE65534 \# 758 010000308202ef30820258a0030201020209009a0a7ecab015ea56300d06092a864886f70d01010505003059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e301e170d3131313230393033303535385a170d3134313230383033303535385a3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e30819f300d06092a864886f70d010101050003818d0030818902818100d0e03624b35367095e40abc3485edf10b12e049bfcf384edccc945fca4cce3ac58132fedac355d7a327ccec9d4c473bb49e20822aa5e24b37ea1cf52206054bf43855f895de519b6f19496ad003d8fde9644dd143bc9ae7580e538ef0bd62bef682d2846c6b9c79194f337630ee7535f701c346682df5cd978b8fdce4bb5761f0203010001a381be3081bb301d0603551d0e0416041464e15937d9a5180d3c63fb73a250d4d7a012b49430818b0603551d23048183308180801464e15937d9a5180d3c63fb73a250d4d7a012b494a15da45b3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e8209009a0a7ecab015ea56300c0603551d13040530030101ff300d06092a864886f70d01010505000381810017c156226f07b10f6434be97cecf132726f0dfb54c6cb5fb15bd4ba181e185304d00a466528dc5b95e2091c4d52c9f921e7a52e3b9fd82a453f47e54bee10d3b0d7043fe85d0a6eba56628ff8afc11c42f5e8f8d0ed49f8d19019f5a22b98d6043c6bfc3d7ba047881b64ec72e2b108137e7a70cd9a78792eb792f5be3138c09
$ ../src/cert2rr.pl www.example.com 1 0 0 demoCA/cacert.pem
; Selected 755 bytes of data from demoCA/cacert.pem
; TLSA resource record:
;
www.example.com. IN TLSA 1 0 0 308202ef30820258a0030201020209009a0a7ecab015ea56300d06092a864886f70d01010505003059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e301e170d3131313230393033303535385a170d3134313230383033303535385a3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e30819f300d06092a864886f70d010101050003818d0030818902818100d0e03624b35367095e40abc3485edf10b12e049bfcf384edccc945fca4cce3ac58132fedac355d7a327ccec9d4c473bb49e20822aa5e24b37ea1cf52206054bf43855f895de519b6f19496ad003d8fde9644dd143bc9ae7580e538ef0bd62bef682d2846c6b9c79194f337630ee7535f701c346682df5cd978b8fdce4bb5761f0203010001a381be3081bb301d0603551d0e0416041464e15937d9a5180d3c63fb73a250d4d7a012b49430818b0603551d23048183308180801464e15937d9a5180d3c63fb73a250d4d7a012b494a15da45b3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e8209009a0a7ecab015ea56300c0603551d13040530030101ff300d06092a864886f70d01010505000381810017c156226f07b10f6434be97cecf132726f0dfb54c6cb5fb15bd4ba181e185304d00a466528dc5b95e2091c4d52c9f921e7a52e3b9fd82a453f47e54bee10d3b0d7043fe85d0a6eba56628ff8afc11c42f5e8f8d0ed49f8d19019f5a22b98d6043c6bfc3d7ba047881b64ec72e2b108137e7a70cd9a78792eb792f5be3138c09
; Unknown resource record:
;
www.example.com. IN TYPE65534 \# 758 010000308202ef30820258a0030201020209009a0a7ecab015ea56300d06092a864886f70d01010505003059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e301e170d3131313230393033303535385a170d3134313230383033303535385a3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e30819f300d06092a864886f70d010101050003818d0030818902818100d0e03624b35367095e40abc3485edf10b12e049bfcf384edccc945fca4cce3ac58132fedac355d7a327ccec9d4c473bb49e20822aa5e24b37ea1cf52206054bf43855f895de519b6f19496ad003d8fde9644dd143bc9ae7580e538ef0bd62bef682d2846c6b9c79194f337630ee7535f701c346682df5cd978b8fdce4bb5761f0203010001a381be3081bb301d0603551d0e0416041464e15937d9a5180d3c63fb73a250d4d7a012b49430818b0603551d23048183308180801464e15937d9a5180d3c63fb73a250d4d7a012b494a15da45b3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e8209009a0a7ecab015ea56300c0603551d13040530030101ff300d06092a864886f70d01010505000381810017c156226f07b10f6434be97cecf132726f0dfb54c6cb5fb15bd4ba181e185304d00a466528dc5b95e2091c4d52c9f921e7a52e3b9fd82a453f47e54bee10d3b0d7043fe85d0a6eba56628ff8afc11c42f5e8f8d0ed49f8d19019f5a22b98d6043c6bfc3d7ba047881b64ec72e2b108137e7a70cd9a78792eb792f5be3138c09
Sign certificate request
$ perl ../openssl-hacked2/apps/CA.pl -signreq
Using configuration from /System/Library/OpenSSL/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
9a:0a:7e:ca:b0:15:ea:57
Validity
Not Before: Dec 9 03:10:52 2011 GMT
Not After : Dec 8 03:10:52 2012 GMT
Subject:
countryName = US
stateOrProvinceName = CA
localityName = Mtn View
organizationName = Internet Widgits Pty Ltd
organizationalUnitName = exjobb
commonName = www.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
52:92:22:78:10:43:E4:7F:87:21:3A:17:EE:53:FE:FC:C3:DD:78:11
X509v3 Authority Key Identifier:
keyid:64:E1:59:37:D9:A5:18:0D:3C:63:FB:73:A2:50:D4:D7:A0:12:B4:94
Certificate is to be certified until Dec 8 03:10:52 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
Using configuration from /System/Library/OpenSSL/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
9a:0a:7e:ca:b0:15:ea:57
Validity
Not Before: Dec 9 03:10:52 2011 GMT
Not After : Dec 8 03:10:52 2012 GMT
Subject:
countryName = US
stateOrProvinceName = CA
localityName = Mtn View
organizationName = Internet Widgits Pty Ltd
organizationalUnitName = exjobb
commonName = www.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
52:92:22:78:10:43:E4:7F:87:21:3A:17:EE:53:FE:FC:C3:DD:78:11
X509v3 Authority Key Identifier:
keyid:64:E1:59:37:D9:A5:18:0D:3C:63:FB:73:A2:50:D4:D7:A0:12:B4:94
Certificate is to be certified until Dec 8 03:10:52 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
Creating a certificate request
$ perl ../openssl-hacked2/apps/CA.pl -newreq
Generating a 1024 bit RSA private key
...........................++++++
.................................................++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Mtn View
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:exjobb
Common Name (eg, YOUR name) []:www.example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
Generating a 1024 bit RSA private key
...........................++++++
.................................................++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Mtn View
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:exjobb
Common Name (eg, YOUR name) []:www.example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
Setting up a CA server
$ perl ../openssl-hacked2/apps/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
..........................++++++
................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
phrase is too short, needs to be at least 4 chars
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Mountain View
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DANE CA
Organizational Unit Name (eg, section) []:Exjobb
Common Name (eg, YOUR name) []:Mathias Samuelson
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /System/Library/OpenSSL/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
9a:0a:7e:ca:b0:15:ea:56
Validity
Not Before: Dec 9 03:05:58 2011 GMT
Not After : Dec 8 03:05:58 2014 GMT
Subject:
countryName = US
stateOrProvinceName = CA
organizationName = DANE CA
organizationalUnitName = Exjobb
commonName = Mathias Samuelson
X509v3 extensions:
X509v3 Subject Key Identifier:
64:E1:59:37:D9:A5:18:0D:3C:63:FB:73:A2:50:D4:D7:A0:12:B4:94
X509v3 Authority Key Identifier:
keyid:64:E1:59:37:D9:A5:18:0D:3C:63:FB:73:A2:50:D4:D7:A0:12:B4:94
DirName:/C=US/ST=CA/O=DANE CA/OU=Exjobb/CN=Mathias Samuelson
serial:9A:0A:7E:CA:B0:15:EA:56
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Dec 8 03:05:58 2014 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
..........................++++++
................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
phrase is too short, needs to be at least 4 chars
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Mountain View
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DANE CA
Organizational Unit Name (eg, section) []:Exjobb
Common Name (eg, YOUR name) []:Mathias Samuelson
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /System/Library/OpenSSL/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
9a:0a:7e:ca:b0:15:ea:56
Validity
Not Before: Dec 9 03:05:58 2011 GMT
Not After : Dec 8 03:05:58 2014 GMT
Subject:
countryName = US
stateOrProvinceName = CA
organizationName = DANE CA
organizationalUnitName = Exjobb
commonName = Mathias Samuelson
X509v3 extensions:
X509v3 Subject Key Identifier:
64:E1:59:37:D9:A5:18:0D:3C:63:FB:73:A2:50:D4:D7:A0:12:B4:94
X509v3 Authority Key Identifier:
keyid:64:E1:59:37:D9:A5:18:0D:3C:63:FB:73:A2:50:D4:D7:A0:12:B4:94
DirName:/C=US/ST=CA/O=DANE CA/OU=Exjobb/CN=Mathias Samuelson
serial:9A:0A:7E:CA:B0:15:EA:56
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Dec 8 03:05:58 2014 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
Saturday, December 3, 2011
Hacked dane tool
I just made a hack to the dane tool so that it now supports Certificate Usage field and adds the correct selector and matching type fields.
79c79
< def create_tlsa(hostname, certtype, reftype):
---
> def create_tlsa(hostname, usage, selector, reftype):
100c100
< v4TLSA = draft_genTLSA(hostname, a, certtype, reftype)
---
> v4TLSA = draft_genTLSA(hostname, a, usage, selector, reftype)
102c102
< rfcv4TLSA = rfc_genTLSA(hostname, a, certtype, reftype)
---
> rfcv4TLSA = rfc_genTLSA(hostname, a, usage, selector, reftype)
114c114
< v6TLSA = draft_genTLSA(hostname, aaaa, certtype, reftype)
---
> v6TLSA = draft_genTLSA(hostname, aaaa, usage, selector, reftype)
116c116
< rfcv6TLSA = rfc_genTLSA(hostname, aaaa, certtype, reftype)
---
> rfcv6TLSA = rfc_genTLSA(hostname, aaaa, usage, selector, reftype)
133c133
< def draft_genTLSA(hostname, address, certtype, reftype):
---
> def draft_genTLSA(hostname, address, usage, selector, reftype):
156,157c156,157
< if certtype != 1:
< print "Only EE-cert supported right now"
---
> if selector != 0:
> print "Only full EE-cert supported right now"
161c161
< return "_443._tcp.%s IN TYPE65468 \# %s 0%s0%s%s"%(hostname,len(certhex)/2+2,certtype,reftype, certhex)
---
> return "_443._tcp.%s IN TYPE65468 \# %s 0%s0%s0%s%s"%(hostname,len(certhex)/2+3,usage,selector,reftype, certhex)
168,170c168,170
< # certtype and reftype are part of the length
< data_length += 2
< return "_443._tcp.%s IN TYPE65468 \# %s 0%s0%s%s"%(hostname,data_length,certtype,reftype, hashCert(reftype,dercert))
---
> # selector and reftype are part of the length
> data_length += 3
> return "_443._tcp.%s IN TYPE65468 \# %s 0%s0%s0%s%s"%(hostname,data_length,usage,selector,reftype, hashCert(reftype,dercert))
172c172
< def rfc_genTLSA(hostname, address, certtype, reftype):
---
> def rfc_genTLSA(hostname, address, usage, selector, reftype):
184,186c184,186
< if certtype != 1:
< print "Only EE-cert supported right now"
< return "_443._tcp.%s IN TLSA %s %s %s"%(hostname, certtype, reftype, hashCert(reftype,dercert))
---
> if selector != 0:
> print "Only full EE-cert supported right now"
> return "_443._tcp.%s IN TLSA %s %s %s %s"%(hostname, usage, selector, reftype, hashCert(reftype,dercert))
236a237
> parser.add_argument('--usage', action='store',help='certificate usage [0,1,2] (default:1)', default=1)
264a266,268
> if args.usage:
> if not (args.usage != 0 or args.usage != 1 or args.usage != 2):
> sys.exit("Certificate Usage must be (0, 1, or 2)")
316c320
< create_tlsa(host,1,reftype)
---
> create_tlsa(host,args.usage,0,reftype)
356c360
< create_tlsa(host,1,reftype)
---
> create_tlsa(host,args.usage,0,reftype)
359c363
< create_tlsa(host,1,reftype)
---
> create_tlsa(host,args.usage,1,reftype)
79c79
< def create_tlsa(hostname, certtype, reftype):
---
> def create_tlsa(hostname, usage, selector, reftype):
100c100
< v4TLSA = draft_genTLSA(hostname, a, certtype, reftype)
---
> v4TLSA = draft_genTLSA(hostname, a, usage, selector, reftype)
102c102
< rfcv4TLSA = rfc_genTLSA(hostname, a, certtype, reftype)
---
> rfcv4TLSA = rfc_genTLSA(hostname, a, usage, selector, reftype)
114c114
< v6TLSA = draft_genTLSA(hostname, aaaa, certtype, reftype)
---
> v6TLSA = draft_genTLSA(hostname, aaaa, usage, selector, reftype)
116c116
< rfcv6TLSA = rfc_genTLSA(hostname, aaaa, certtype, reftype)
---
> rfcv6TLSA = rfc_genTLSA(hostname, aaaa, usage, selector, reftype)
133c133
< def draft_genTLSA(hostname, address, certtype, reftype):
---
> def draft_genTLSA(hostname, address, usage, selector, reftype):
156,157c156,157
< if certtype != 1:
< print "Only EE-cert supported right now"
---
> if selector != 0:
> print "Only full EE-cert supported right now"
161c161
< return "_443._tcp.%s IN TYPE65468 \# %s 0%s0%s%s"%(hostname,len(certhex)/2+2,certtype,reftype, certhex)
---
> return "_443._tcp.%s IN TYPE65468 \# %s 0%s0%s0%s%s"%(hostname,len(certhex)/2+3,usage,selector,reftype, certhex)
168,170c168,170
< # certtype and reftype are part of the length
< data_length += 2
< return "_443._tcp.%s IN TYPE65468 \# %s 0%s0%s%s"%(hostname,data_length,certtype,reftype, hashCert(reftype,dercert))
---
> # selector and reftype are part of the length
> data_length += 3
> return "_443._tcp.%s IN TYPE65468 \# %s 0%s0%s0%s%s"%(hostname,data_length,usage,selector,reftype, hashCert(reftype,dercert))
172c172
< def rfc_genTLSA(hostname, address, certtype, reftype):
---
> def rfc_genTLSA(hostname, address, usage, selector, reftype):
184,186c184,186
< if certtype != 1:
< print "Only EE-cert supported right now"
< return "_443._tcp.%s IN TLSA %s %s %s"%(hostname, certtype, reftype, hashCert(reftype,dercert))
---
> if selector != 0:
> print "Only full EE-cert supported right now"
> return "_443._tcp.%s IN TLSA %s %s %s %s"%(hostname, usage, selector, reftype, hashCert(reftype,dercert))
236a237
> parser.add_argument('--usage', action='store',help='certificate usage [0,1,2] (default:1)', default=1)
264a266,268
> if args.usage:
> if not (args.usage != 0 or args.usage != 1 or args.usage != 2):
> sys.exit("Certificate Usage must be (0, 1, or 2)")
316c320
< create_tlsa(host,1,reftype)
---
> create_tlsa(host,args.usage,0,reftype)
356c360
< create_tlsa(host,1,reftype)
---
> create_tlsa(host,args.usage,0,reftype)
359c363
< create_tlsa(host,1,reftype)
---
> create_tlsa(host,args.usage,1,reftype)
Friday, December 2, 2011
Successfully building with Unbound
Thanks to one of my coworkers, Brian, I can now build with Unbound. Yay.
apps msamuel$ diff Makefile Makefile.org
59c59
< spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o ../ssl/dane.o
---
> spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o
67c67
< spkac.c smime.c cms.c rand.c engine.c ocsp.c prime.c ts.c dane.c
---
> spkac.c smime.c cms.c rand.c engine.c ocsp.c prime.c ts.c
160c160
< LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS) -L/usr/local/lib -lunbound" \
---
> LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
821d820
< s_client.o: ../include/openssl/dane.h
ssl msamuel$ diff Makefile Makefile.org
8c8
< INCLUDES= -I../crypto -I$(TOP) -I../include $(KRB5_INCLUDES) -I/usr/local/include/unbound.h
---
> INCLUDES= -I../crypto -I$(TOP) -I../include $(KRB5_INCLUDES)
266d265
< #dane.o: /usr/local/include/unbound.h dane.c
apps msamuel$ diff Makefile Makefile.org
59c59
< spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o ../ssl/dane.o
---
> spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o
67c67
< spkac.c smime.c cms.c rand.c engine.c ocsp.c prime.c ts.c dane.c
---
> spkac.c smime.c cms.c rand.c engine.c ocsp.c prime.c ts.c
160c160
< LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS) -L/usr/local/lib -lunbound" \
---
> LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
821d820
< s_client.o: ../include/openssl/dane.h
ssl msamuel$ diff Makefile Makefile.org
8c8
< INCLUDES= -I../crypto -I$(TOP) -I../include $(KRB5_INCLUDES) -I/usr/local/include/unbound.h
---
> INCLUDES= -I../crypto -I$(TOP) -I../include $(KRB5_INCLUDES)
266d265
< #dane.o: /usr/local/include/unbound.h dane.c
Tuesday, November 22, 2011
Revisiting building OpenSSL
$ ./Configure --prefix=/usr/local no-threads shared darwin64-x86_64-cc
$ make
$ make
Sunday, November 20, 2011
Getting the certificate in DER and printing it
This hack fetches the certificate from a web server and prints it out in hex format. It's pretty ugly at this point, but note that the certificate bytes match.
#include
#include
#include
#include
BIO *b_err;
int dane_verify(SSL *con, char *s_host, short s_port) {
X509 *dane_peer = NULL;
char buf[BUFSIZ];
if (b_err == NULL)
b_err=BIO_new_fp(stderr,BIO_NOCLOSE);
BIO_printf(b_err, "DANE:%s:%d\n", s_host, s_port);
dane_peer = SSL_get_peer_certificate(con);
if (dane_peer != NULL) {
BIO_printf(b_err, "DANE:Server certificate\n");
X509_NAME_oneline(X509_get_subject_name(dane_peer),
buf,sizeof buf);
BIO_printf(b_err,"DANE:subject=%s\n",buf);
X509_NAME_oneline(X509_get_issuer_name(dane_peer),
buf,sizeof buf);
BIO_printf(b_err,"DANE:issuer=%s\n",buf);
//X509_print(b_err,dane_peer);
int len;
unsigned char *buf, *buf_tmp;
buf = NULL;
len = i2d_X509(dane_peer, &buf);
buf_tmp = buf;
int der_bytes[len+1];
int i;
for (i=0; i
buf_tmp++;
}
BIO_printf(b_err, "\n");
der_bytes[len] = '\0';
BIO_printf(b_err, "DANE: here we go: %X\n", der_bytes);
if (len < 0) {
BIO_printf(b_err, "DANE: ops\n");
} else {
BIO_printf(b_err, "DANE... %d\n", len);
BIO_printf(b_err, "DANE: %u\n", buf);
}
} else
BIO_printf(b_err,"DANE:no peer certificate available\n");
(void)BIO_flush(b_err);
return 0;
}
$ ./openssl s_client -dane -connect www.example.com:443
CONNECTED(00000003)
DANE:www.example.com:443
DANE:no peer certificate available
DANE:www.example.com:443
DANE:no peer certificate available
depth=0 C = US, ST = California, L = Mountain View, O = Default Company Ltd, CN = www.example.com, emailAddress = mathias.samuelson@gmail.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Default Company Ltd, CN = www.example.com, emailAddress = mathias.samuelson@gmail.com
verify return:1
DANE:www.example.com:443
DANE:Server certificate
DANE:subject=/C=US/ST=California/L=Mountain View/O=Default Company Ltd/CN=www.example.com/emailAddress=mathias.samuelson@gmail.com
DANE:issuer=/C=US/ST=California/L=Mountain View/O=Default Company Ltd/CN=www.example.com/emailAddress=mathias.samuelson@gmail.com
3082 2B53082 21E 2 9 087DEC83E4049FDBD30 D 6 92A864886F7 D 1 1 5 5 030819E31 B30 9 6 355 4 613 2555331133011 6 355 4 8 C A43616C69666F726E696131163014 6 355 4 7 C D4D6F756E7461696E2056696577311C301A 6 355 4 A C1344656661756C7420436F6D70616E79204C746431183016 6 355 4 3 C F7777772E6578616D706C652E636F6D312A3028 6 92A864886F7 D 1 9 1161B6D6174686961732E73616D75656C736F6E40676D61696C2E636F6D301E17 D3131313131333232333633395A17 D3132313131323232333633395A30819E31 B30 9 6 355 4 613 2555331133011 6 355 4 8 C A43616C69666F726E696131163014 6 355 4 7 C D4D6F756E7461696E2056696577311C301A 6 355 4 A C1344656661756C7420436F6D70616E79204C746431183016 6 355 4 3 C F7777772E6578616D706C652E636F6D312A3028 6 92A864886F7 D 1 9 1161B6D6174686961732E73616D75656C736F6E40676D61696C2E636F6D30819F30 D 6 92A864886F7 D 1 1 1 5 0 3818D 0308189 28181 0A8148A 27BB0DA5613 5963ABF7092741E443543AA16DEE369ED4E9542298BEF3DFCB16A2D 1C38EC6A89E8CD6 58889BC6E8BBD659F84726AA5E9F2A459BD40 1169AF91479 99CA34747 B75A5D3FC5FE1AF8823D4FC4B 9D7FD92A48244457911B466652E8AC69458E8EA4EA9896A D5AE76A6D 32F5DEB961B24AC61D331 2 3 1 0 130 D 6 92A864886F7 D 1 1 5 5 0 38181 08C2ACCCB27885E42DB35724E3BCE6CD58DA5671CE5AD7B8EC0B5C52421C4AA84BD 3 28D5CFF 19A853DE74ED7 471D3F610489C7FC232522B13623AA4F4B38A 82F28 51016917CE588DA8326156629CF70FFB2663C8A63CE 860CA81E7815F82A4FB3BF7DD385F 38696F5 04254C5BC39451DA220FE24D0578483464F6D58
DANE: here we go: 5FBFE130
DANE... 697
DANE: 3280608
...
The certificate starts with the bytes 0x3082 ... ends with 0x6D58.
We see that the number of bytes is 697, whereas the record in DNS is 699 bytes. The record should have three one octet fields and then the certificate bytes, but I'm actually only seeing two octets before the certificate. Need to look into why that is.
So far so good though.
#include
#include
#include
#include
BIO *b_err;
int dane_verify(SSL *con, char *s_host, short s_port) {
X509 *dane_peer = NULL;
char buf[BUFSIZ];
if (b_err == NULL)
b_err=BIO_new_fp(stderr,BIO_NOCLOSE);
BIO_printf(b_err, "DANE:%s:%d\n", s_host, s_port);
dane_peer = SSL_get_peer_certificate(con);
if (dane_peer != NULL) {
BIO_printf(b_err, "DANE:Server certificate\n");
X509_NAME_oneline(X509_get_subject_name(dane_peer),
buf,sizeof buf);
BIO_printf(b_err,"DANE:subject=%s\n",buf);
X509_NAME_oneline(X509_get_issuer_name(dane_peer),
buf,sizeof buf);
BIO_printf(b_err,"DANE:issuer=%s\n",buf);
//X509_print(b_err,dane_peer);
int len;
unsigned char *buf, *buf_tmp;
buf = NULL;
len = i2d_X509(dane_peer, &buf);
buf_tmp = buf;
int der_bytes[len+1];
int i;
for (i=0; i
buf_tmp++;
}
BIO_printf(b_err, "\n");
der_bytes[len] = '\0';
BIO_printf(b_err, "DANE: here we go: %X\n", der_bytes);
if (len < 0) {
BIO_printf(b_err, "DANE: ops\n");
} else {
BIO_printf(b_err, "DANE... %d\n", len);
BIO_printf(b_err, "DANE: %u\n", buf);
}
} else
BIO_printf(b_err,"DANE:no peer certificate available\n");
(void)BIO_flush(b_err);
return 0;
}
$ ./openssl s_client -dane -connect www.example.com:443
CONNECTED(00000003)
DANE:www.example.com:443
DANE:no peer certificate available
DANE:www.example.com:443
DANE:no peer certificate available
depth=0 C = US, ST = California, L = Mountain View, O = Default Company Ltd, CN = www.example.com, emailAddress = mathias.samuelson@gmail.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Default Company Ltd, CN = www.example.com, emailAddress = mathias.samuelson@gmail.com
verify return:1
DANE:www.example.com:443
DANE:Server certificate
DANE:subject=/C=US/ST=California/L=Mountain View/O=Default Company Ltd/CN=www.example.com/emailAddress=mathias.samuelson@gmail.com
DANE:issuer=/C=US/ST=California/L=Mountain View/O=Default Company Ltd/CN=www.example.com/emailAddress=mathias.samuelson@gmail.com
3082 2B53082 21E 2 9 087DEC83E4049FDBD30 D 6 92A864886F7 D 1 1 5 5 030819E31 B30 9 6 355 4 613 2555331133011 6 355 4 8 C A43616C69666F726E696131163014 6 355 4 7 C D4D6F756E7461696E2056696577311C301A 6 355 4 A C1344656661756C7420436F6D70616E79204C746431183016 6 355 4 3 C F7777772E6578616D706C652E636F6D312A3028 6 92A864886F7 D 1 9 1161B6D6174686961732E73616D75656C736F6E40676D61696C2E636F6D301E17 D3131313131333232333633395A17 D3132313131323232333633395A30819E31 B30 9 6 355 4 613 2555331133011 6 355 4 8 C A43616C69666F726E696131163014 6 355 4 7 C D4D6F756E7461696E2056696577311C301A 6 355 4 A C1344656661756C7420436F6D70616E79204C746431183016 6 355 4 3 C F7777772E6578616D706C652E636F6D312A3028 6 92A864886F7 D 1 9 1161B6D6174686961732E73616D75656C736F6E40676D61696C2E636F6D30819F30 D 6 92A864886F7 D 1 1 1 5 0 3818D 0308189 28181 0A8148A 27BB0DA5613 5963ABF7092741E443543AA16DEE369ED4E9542298BEF3DFCB16A2D 1C38EC6A89E8CD6 58889BC6E8BBD659F84726AA5E9F2A459BD40 1169AF91479 99CA34747 B75A5D3FC5FE1AF8823D4FC4B 9D7FD92A48244457911B466652E8AC69458E8EA4EA9896A D5AE76A6D 32F5DEB961B24AC61D331 2 3 1 0 130 D 6 92A864886F7 D 1 1 5 5 0 38181 08C2ACCCB27885E42DB35724E3BCE6CD58DA5671CE5AD7B8EC0B5C52421C4AA84BD 3 28D5CFF 19A853DE74ED7 471D3F610489C7FC232522B13623AA4F4B38A 82F28 51016917CE588DA8326156629CF70FFB2663C8A63CE 860CA81E7815F82A4FB3BF7DD385F 38696F5 04254C5BC39451DA220FE24D0578483464F6D58
DANE: here we go: 5FBFE130
DANE... 697
DANE: 3280608
...
The certificate starts with the bytes 0x3082 ... ends with 0x6D58.
We see that the number of bytes is 697, whereas the record in DNS is 699 bytes. The record should have three one octet fields and then the certificate bytes, but I'm actually only seeing two octets before the certificate. Need to look into why that is.
So far so good though.
Fetching the TLSA record with libunbound
Here's the modified code that fetches a TLSA record and prints the bytes in hex:
#include
#include
#include
#include
#include
int main(void)
{
struct ub_ctx* ctx;
struct ub_result* result;
int retval;
/* create context */
ctx = ub_ctx_create();
if(!ctx) {
printf("error: could not create unbound context\n");
return 1;
}
/* read /etc/resolv.conf for DNS proxy settings (from DHCP) */
if( (retval=ub_ctx_resolvconf(ctx, "/etc/resolv.conf")) != 0) {
printf("error reading resolv.conf: %s. errno says: %s\n",
ub_strerror(retval), strerror(errno));
return 1;
}
/* read /etc/hosts for locally supplied host addresses */
if( (retval=ub_ctx_hosts(ctx, "/etc/hosts")) != 0) {
printf("error reading hosts: %s. errno says: %s\n",
ub_strerror(retval), strerror(errno));
return 1;
}
/* read public keys for DNSSEC verification */
if( (retval=ub_ctx_add_ta_file(ctx, "keys")) != 0) {
printf("error adding keys: %s\n", ub_strerror(retval));
return 1;
}
/* query for webserver */
retval = ub_resolve(ctx, "_443._tcp.www.example.com",
65468 /* TYPE A (IPv4 address) */,
1 /* CLASS IN (internet) */, &result);
if(retval != 0) {
printf("resolve error: %s\n", ub_strerror(retval));
return 1;
}
/* show first result */
if(result->havedata) {
unsigned char *buf = (char*)result->data[0];
int i;
printf("The record length is %d\n", result->len[0]);
for (i = 0; i < result->len[0]; i++) {
printf("%2X", *buf);
buf++;
}
printf("\n");
}
/* show security status */
if(result->secure)
printf("Result is secure\n");
else if(result->bogus)
printf("Result is bogus: %s\n", result->why_bogus);
else printf("Result is insecure\n");
ub_resolve_free(result);
ub_ctx_delete(ctx);
return 0;
}
To compile and run:
$ gcc -o unb_secure_resolve unb_secure_resolve.c -I/usr/local/include -L/usr/local/lib -lunbound
$ ./unb_secure_resolve The record length is 699
1 03082 2B53082 21E 2 9 087DEC83E4049FDBD30 D 6 92A864886F7 D 1 1 5 5 030819E31 B30 9 6 355 4 613 2555331133011 6 355 4 8 C A43616C69666F726E696131163014 6 355 4 7 C D4D6F756E7461696E2056696577311C301A 6 355 4 A C1344656661756C7420436F6D70616E79204C746431183016 6 355 4 3 C F7777772E6578616D706C652E636F6D312A3028 6 92A864886F7 D 1 9 1161B6D6174686961732E73616D75656C736F6E40676D61696C2E636F6D301E17 D3131313131333232333633395A17 D3132313131323232333633395A30819E31 B30 9 6 355 4 613 2555331133011 6 355 4 8 C A43616C69666F726E696131163014 6 355 4 7 C D4D6F756E7461696E2056696577311C301A 6 355 4 A C1344656661756C7420436F6D70616E79204C746431183016 6 355 4 3 C F7777772E6578616D706C652E636F6D312A3028 6 92A864886F7 D 1 9 1161B6D6174686961732E73616D75656C736F6E40676D61696C2E636F6D30819F30 D 6 92A864886F7 D 1 1 1 5 0 3818D 0308189 28181 0A8148A 27BB0DA5613 5963ABF7092741E443543AA16DEE369ED4E9542298BEF3DFCB16A2D 1C38EC6A89E8CD6 58889BC6E8BBD659F84726AA5E9F2A459BD40 1169AF91479 99CA34747 B75A5D3FC5FE1AF8823D4FC4B 9D7FD92A48244457911B466652E8AC69458E8EA4EA9896A D5AE76A6D 32F5DEB961B24AC61D331 2 3 1 0 130 D 6 92A864886F7 D 1 1 5 5 0 38181 08C2ACCCB27885E42DB35724E3BCE6CD58DA5671CE5AD7B8EC0B5C52421C4AA84BD 3 28D5CFF 19A853DE74ED7 471D3F610489C7FC232522B13623AA4F4B38A 82F28 51016917CE588DA8326156629CF70FFB2663C8A63CE 860CA81E7815F82A4FB3BF7DD385F 38696F5 04254C5BC39451DA220FE24D0578483464F6D58
Result is insecure
Obviously the output leaves something to be desired, but that's not the point. Next post will show the equivalent output from OpenSSL.
#include
#include
#include
#include
#include
int main(void)
{
struct ub_ctx* ctx;
struct ub_result* result;
int retval;
/* create context */
ctx = ub_ctx_create();
if(!ctx) {
printf("error: could not create unbound context\n");
return 1;
}
/* read /etc/resolv.conf for DNS proxy settings (from DHCP) */
if( (retval=ub_ctx_resolvconf(ctx, "/etc/resolv.conf")) != 0) {
printf("error reading resolv.conf: %s. errno says: %s\n",
ub_strerror(retval), strerror(errno));
return 1;
}
/* read /etc/hosts for locally supplied host addresses */
if( (retval=ub_ctx_hosts(ctx, "/etc/hosts")) != 0) {
printf("error reading hosts: %s. errno says: %s\n",
ub_strerror(retval), strerror(errno));
return 1;
}
/* read public keys for DNSSEC verification */
if( (retval=ub_ctx_add_ta_file(ctx, "keys")) != 0) {
printf("error adding keys: %s\n", ub_strerror(retval));
return 1;
}
/* query for webserver */
retval = ub_resolve(ctx, "_443._tcp.www.example.com",
65468 /* TYPE A (IPv4 address) */,
1 /* CLASS IN (internet) */, &result);
if(retval != 0) {
printf("resolve error: %s\n", ub_strerror(retval));
return 1;
}
/* show first result */
if(result->havedata) {
unsigned char *buf = (char*)result->data[0];
int i;
printf("The record length is %d\n", result->len[0]);
for (i = 0; i < result->len[0]; i++) {
printf("%2X", *buf);
buf++;
}
printf("\n");
}
/* show security status */
if(result->secure)
printf("Result is secure\n");
else if(result->bogus)
printf("Result is bogus: %s\n", result->why_bogus);
else printf("Result is insecure\n");
ub_resolve_free(result);
ub_ctx_delete(ctx);
return 0;
}
To compile and run:
$ gcc -o unb_secure_resolve unb_secure_resolve.c -I/usr/local/include -L/usr/local/lib -lunbound
$ ./unb_secure_resolve The record length is 699
1 03082 2B53082 21E 2 9 087DEC83E4049FDBD30 D 6 92A864886F7 D 1 1 5 5 030819E31 B30 9 6 355 4 613 2555331133011 6 355 4 8 C A43616C69666F726E696131163014 6 355 4 7 C D4D6F756E7461696E2056696577311C301A 6 355 4 A C1344656661756C7420436F6D70616E79204C746431183016 6 355 4 3 C F7777772E6578616D706C652E636F6D312A3028 6 92A864886F7 D 1 9 1161B6D6174686961732E73616D75656C736F6E40676D61696C2E636F6D301E17 D3131313131333232333633395A17 D3132313131323232333633395A30819E31 B30 9 6 355 4 613 2555331133011 6 355 4 8 C A43616C69666F726E696131163014 6 355 4 7 C D4D6F756E7461696E2056696577311C301A 6 355 4 A C1344656661756C7420436F6D70616E79204C746431183016 6 355 4 3 C F7777772E6578616D706C652E636F6D312A3028 6 92A864886F7 D 1 9 1161B6D6174686961732E73616D75656C736F6E40676D61696C2E636F6D30819F30 D 6 92A864886F7 D 1 1 1 5 0 3818D 0308189 28181 0A8148A 27BB0DA5613 5963ABF7092741E443543AA16DEE369ED4E9542298BEF3DFCB16A2D 1C38EC6A89E8CD6 58889BC6E8BBD659F84726AA5E9F2A459BD40 1169AF91479 99CA34747 B75A5D3FC5FE1AF8823D4FC4B 9D7FD92A48244457911B466652E8AC69458E8EA4EA9896A D5AE76A6D 32F5DEB961B24AC61D331 2 3 1 0 130 D 6 92A864886F7 D 1 1 5 5 0 38181 08C2ACCCB27885E42DB35724E3BCE6CD58DA5671CE5AD7B8EC0B5C52421C4AA84BD 3 28D5CFF 19A853DE74ED7 471D3F610489C7FC232522B13623AA4F4B38A 82F28 51016917CE588DA8326156629CF70FFB2663C8A63CE 860CA81E7815F82A4FB3BF7DD385F 38696F5 04254C5BC39451DA220FE24D0578483464F6D58
Result is insecure
Obviously the output leaves something to be desired, but that's not the point. Next post will show the equivalent output from OpenSSL.
Installing a validating DNS stub resolver
So a quick look at the alternatives available, primarily ldns and libunbound indicated that the latter has significantly more useful documentation. Documentation is king, so that's what I'm going to favor.
Installing libunbound on the Mac:
1. Download
2. ./configure --with-ldns=/usr/local/ --with-ssl=/usr/local/ssl/
3. make && make install
I then grabbed one of the tutorial examples from their website and compiled it:
$ gcc -o unb_secure_resolve unb_secure_resolve.c -I/usr/local/include -L/usr/local/lib -lunbound
Installing libunbound on the Mac:
1. Download
2. ./configure --with-ldns=/usr/local/ --with-ssl=/usr/local/ssl/
3. make && make install
I then grabbed one of the tutorial examples from their website and compiled it:
$ gcc -o unb_secure_resolve unb_secure_resolve.c -I/usr/local/include -L/usr/local/lib -lunbound
BIND 9.7 configuration
[root@localhost ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 172.16.52.182; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "example.com" IN {
type master;
file "example.com";
};
[root@localhost ~]# cat /var/named/example.com
$TTL 1D
$ORIGIN example.com.
@ IN SOA master rname.invalid. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 172.16.52.182
www A 172.16.52.182
_443._tcp.www IN TYPE65468 \# 34 0101D1A0F378F90614277D1677F3ADF67FD56390009BDFFB6A3429C421A26E37FE22
The record at _443._tcp.www was generated by the dane tool and uses a temporary record type waiting for the TLSA to get an official number assigned.
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 172.16.52.182; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "example.com" IN {
type master;
file "example.com";
};
[root@localhost ~]# cat /var/named/example.com
$TTL 1D
$ORIGIN example.com.
@ IN SOA master rname.invalid. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 172.16.52.182
www A 172.16.52.182
_443._tcp.www IN TYPE65468 \# 34 0101D1A0F378F90614277D1677F3ADF67FD56390009BDFFB6A3429C421A26E37FE22
The record at _443._tcp.www was generated by the dane tool and uses a temporary record type waiting for the TLSA to get an official number assigned.
Sunday, November 13, 2011
Setting up a poc environment
Long time since the last post, been very busy with work and the last couple of weeks also struggling with a flu.
Anyway, I will now start building a local poc environment running as a VM on my laptop. It will consist of the following components:
Anyway, I will now start building a local poc environment running as a VM on my laptop. It will consist of the following components:
- Centos 6
- BIND 9.something
- OpenSSL
- Apache
Just finished installing a fresh VM.
"dane" command
This command generates the TLSA record based on a TLS interaction with a webserver. Written Poul Wouters, it can be found as part of sshfp which is here.
Running 'make install' copies the files into the right places, but when trying to use it we now need to deal with all the dependencies.
First, since I'm using Python 2.6 I need to get argparse. Can be found here. Installing setuptools (yum install python-setuptools) made that easy, all I needed to do was run easy_install argparse.
Next stop, ldns-python. Can't find it in yum, so I'll go to a repository for it. Download rpm, install. Not. Need ldns. Install ldns, and then install ldns-python. Done.
Will leave it like that for now.Monday, October 3, 2011
Client...
I think it makes sense to use the s_client (apps/s_client.c ) as my testbed... Around line 1220 is where they start doing some interesting stuff.
Well, hard to see exactly where it would make sense to insert a DANE check but probably around that region.
Interestingly, the print_stuff(BIO *bio, SSL *s, int full) function has some useful code...
Well, hard to see exactly where it would make sense to insert a DANE check but probably around that region.
Interestingly, the print_stuff(BIO *bio, SSL *s, int full) function has some useful code...
Thursday, September 29, 2011
Got it... I think
Quick one here. I just realized, or made the decision, whatever. That I probably shouldn't try to insert the DANE check into the OpenSSL certificate checking path.
Instead what I'll do is I will add a separate file that has the DANE stuff and make it up to the application developer to run the DANE check as well, after the SSL handshake has happened.
That sure as hell made things neater. :)
Instead what I'll do is I will add a separate file that has the DANE stuff and make it up to the application developer to run the DANE check as well, after the SSL handshake has happened.
That sure as hell made things neater. :)
Tuesday, September 27, 2011
More on the ingress point...
Found this article as well, and following that, I see that I should probably get in somewhere in the BIO_ piece of it. Somewhere in the vicinity of this code, or rather the library functions that are being called here.
Setting up the connection is done by functions in the crypto/bio/bss_conn.c file, but it's not clear to me where (or even if) it's validating the certificate. I don't think it is, it seems to handle the connection only.
Also was checking out the file ssl/s3_clnt.c - severely dense, but might be useful from a learning perspective.
Now time to sleep.
bio = BIO_new_ssl_connect(ctx);and
BIO_get_ssl(bio, & ssl);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
/* Attempt to connect */
BIO_set_conn_hostname(bio, "hostname:port");
/* Verify the connection opened and perform the handshake */
if(BIO_do_connect(bio) <= 0) {
/* Handle failed connection */
}
if(SSL_get_verify_result(ssl) != X509_V_OK) {
/* Handle the failed verification */
}The object bio should hold all that I need after the call to BIO_do_connect, as I believe that's where the TLS handshake takes place. Since that's probably the last function call that I know will be called by the client application, it seems that I should try to insert my code there.Setting up the connection is done by functions in the crypto/bio/bss_conn.c file, but it's not clear to me where (or even if) it's validating the certificate. I don't think it is, it seems to handle the connection only.
Also was checking out the file ssl/s3_clnt.c - severely dense, but might be useful from a learning perspective.
Now time to sleep.
Looking for literature
That kind of sounded a little bit serious, but actually, it IS what I'm doing. I'm still struggling a little bit to grasp where I'm supposed to tie myself in but at least I'm starting to get a handle on how TLS works from the client point of view. Received a book from Amazon yesterday that's proving itself to be very helpful. "Implementing SSL/TLS" by Joshua Davies.
Also Googled a bit more and found a good set of articles written by Eric Rescorla, who I believe came up with SSL in the first place. It's a two-piece thing, can be found here and the second part here.
Also Googled a bit more and found a good set of articles written by Eric Rescorla, who I believe came up with SSL in the first place. It's a two-piece thing, can be found here and the second part here.
Sunday, September 18, 2011
Trying to figure out where the ingress point will be
So one of my first problems is to figure out where I'm supposed to insert my work, which will do a DANE lookup and pass/fail the connection. The DANE lookup requires the connection's protocol and port so that a DNS lookup like:
_443._tcp.www.example.com
can be made. It seems that a good candidate for inserting my work will be somewhere south of BIO_s_connect(3). This specifically should give me access to the port number, whilst for the time being I think that the protocol can be assumed to be TCP.
One thing I need to validate though is that the BIO_* framework is actually used being used, and preferably that I can reasonably easily find a client implemented with that framework that I can trick into using a DANE-capable OpenSSL. So far my reference is this article.
More tk.
Edit: Just found this article that outlines how to write a client that uses BIO.
_443._tcp.www.example.com
can be made. It seems that a good candidate for inserting my work will be somewhere south of BIO_s_connect(3). This specifically should give me access to the port number, whilst for the time being I think that the protocol can be assumed to be TCP.
One thing I need to validate though is that the BIO_* framework is actually used being used, and preferably that I can reasonably easily find a client implemented with that framework that I can trick into using a DANE-capable OpenSSL. So far my reference is this article.
More tk.
Edit: Just found this article that outlines how to write a client that uses BIO.
Thursday, September 15, 2011
Getting started
Tonight I've downloaded and installed XCode. Now trying to build openssl but getting errors:
Undefined symbols:
"_ENGINE_load_gost", referenced from:
_ENGINE_load_builtin_engines in libcrypto.a(eng_all.o)
ld: symbol(s) not found
collect2: ld returned 1 exit status
make[2]: *** [link_app.] Error 1
make[1]: *** [openssl] Error 2
make: *** [build_apps] Error 1
Undefined symbols:
"_ENGINE_load_gost", referenced from:
_ENGINE_load_builtin_engines in libcrypto.a(eng_all.o)
ld: symbol(s) not found
collect2: ld returned 1 exit status
make[2]: *** [link_app.] Error 1
make[1]: *** [openssl] Error 2
make: *** [build_apps] Error 1
Subscribe to:
Posts (Atom)