-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Pieter Lexis
committed
Jan 24, 2012
0 parents
commit 7e40b63
Showing
3 changed files
with
638 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
SWEDE - tools to create and verify TLSA (DANE) records | ||
================================================================================ | ||
Swede aims to provide a one-stop solutions to create and test TLSA records. | ||
|
||
LICENSE | ||
-------------------------------------------------------------------------------- | ||
swede is copyright Pieter Lexis <pieter@os3.nl> and is licensed under the terms | ||
of the GNU General Public Licence version 2 or higher. | ||
|
||
DEPENDENCIES | ||
-------------------------------------------------------------------------------- | ||
- Python (>= 2.6) | ||
- python-{unbound, argparse, ipaddr, m2crypto} | ||
|
||
swede has been tested on Debian 6 (Squeeze) using the python-unbound package | ||
from squeeze-backports. | ||
|
||
FEATURES | ||
-------------------------------------------------------------------------------- | ||
- Creation of all 18 permutations of TLSA records | ||
- Output in draft and RFC format | ||
- Ability to load certificates from disk to create records from | ||
- Verify TLSA records 'in the field' with the certificates offered by the TLS | ||
service running on the server | ||
|
||
USAGE | ||
-------------------------------------------------------------------------------- | ||
See EXAMPLES below and try the following: | ||
swede --help | ||
swede create --help | ||
swede verify --help | ||
|
||
EXAMPLES | ||
-------------------------------------------------------------------------------- | ||
swede create --usage 1 --output rfc www.os3.nl | ||
swede --insecure create --usage 0 mail.google.com | ||
|
||
swede verify -p 1516 dane.kiev.practicum.os3.nl | ||
swede verify ulthar.us | ||
TODO | ||
-------------------------------------------------------------------------------- | ||
- Creation tool that checks the CN in the Subject of the certificate | ||
- IPv6 support (M2Crypto doesnt support it at the moment) | ||
- Creation tool that does an AXFR for a full zone, collects all hostnames, gets | ||
the certificates (or the CA certificate from the commandline) and creates all | ||
TLSA records. | ||
- Test certificates (other than using the functions in M2Crypto) when no chain | ||
is presented during the TLS session | ||
- Manpage | ||
|
||
KNOWN BUGS | ||
-------------------------------------------------------------------------------- | ||
- swede is mostly untested. | ||
- Not everything that can raise an exception is in a try/except block | ||
- No support for SRV record indirection (see Issue 28 of the DANE-WG) | ||
- No support for TLS/SSL over UDP or SCTP | ||
- No support for STARTTLS type protocols (only 'straight' SSL/TLS conections) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
; autotrust trust anchor file | ||
;;id: . 1 | ||
;;last_queried: 1326888589 ;;Wed Jan 18 13:09:49 2012 | ||
;;last_success: 1326888589 ;;Wed Jan 18 13:09:49 2012 | ||
;;next_probe_time: 1326929661 ;;Thu Jan 19 00:34:21 2012 | ||
;;query_failed: 0 | ||
;;query_interval: 43200 | ||
;;retry_time: 8640 | ||
. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1326804159 ;;Tue Jan 17 13:42:39 2012 |
Oops, something went wrong.