Skip to content
master
Switch branches/tags
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 

README.md

SWEDE - a tool to create and verify TLSA (DANE) records

Swede aims to provide a one-stop solutions to create and test TLSA records.

Swede is created as a proof of concept tool (and should be treated as such).

LICENSE

swede is copyright Pieter Lexis pieter.lexis@os3.nl and is licensed under the terms of the GNU General Public Licence version 2 or higher.

DEPENDENCIES

  • Python (>= 2.6)
  • python-{unbound, argparse, ipaddr, m2crypto}

swede has been tested on Debian 6 (Squeeze) using the python-unbound package from squeeze-backports.

FEATURES

  • Creation of all 24 permutations of TLSA records
  • Output in generic and RFC format
  • Ability to load certificates from disk to create records from
  • Verify TLSA records 'in the field' with the certificates offered by the TLS service running on the server

USAGE

See EXAMPLES below and try the following:

swede --help
swede create --help
swede verify --help

EXAMPLES

swede create --usage 1 --output rfc www.os3.nl
swede --insecure create --usage 0 mail.google.com
swede verify -p 1516 dane.kiev.practicum.os3.nl
swede verify ulthar.us

TODO

  • Create and verify should check the CN in the Subject of the certificate
  • The verification for usage 2 is VERY naive
  • Creation tool that does an AXFR for a full zone, collects all hostnames, gets the certificates (or the CA certificate from the commandline) and creates all TLSA records.
  • Test certificates (other than using the functions in M2Crypto) when no chain is presented during the TLS session
  • Manpage

KNOWN BUGS

  • swede is mostly untested.
  • Not everything that can raise an exception is in a try/except block
  • No support for SRV record indirection (see Issue 28 of the DANE-WG)
  • No support for TLS/SSL over UDP or SCTP
  • No support for STARTTLS type protocols (only 'straight' SSL/TLS conections)
  • Important certificate validation bugs are mentioned in the issue tracker: https://github.com/pieterlexis/swede/issues

About

A tool to create and verify TLSA (DANE) records

Resources

Releases

No releases published

Packages

No packages published

Languages