This is a tool that grabs a certificate from a service and compares it to TLSA records. It can also generate TLSA records.
Dependencies
- LuaSocket
- LuaSec >=0.5, with 0.6 needed for SPKI support
- luaunbound
- argparse
- Hash library, optional, but recommended for SPKI support
- Lua OpenSSL
- LuaCrypto
util.hashesfrom Prosody
Usage
Check DANE on some HTTPS service
danetool www.example.comCheck DANE on a SMTP server
danetool --starttls=smtp mail.example.com:25Use a different name in SNI
danetool myservice.example@hosting.example.netSNI support needs LuaSec.
Generate a TLSA record
danetool --gen-tlsa=3-0-1 www.example.orgShould give additional output like:
DANE-EE Cert SHA2-256
3 0 1 642de54d84c30494157f53f657bf9f89b4ea6c8b16351fd7ec258d556f821040Options
--starttls
Send some data before starting TLS handshake.
Values (--starttls=???) are:
smtpimapxmpp-clientxmpp-server
--gen-tlsa
Takes a tripplet of numeric Usage, Selector and Match parameters separated by hypen.
--pem
Dumps the certificate in PEM format.