danetool

This is a tool that grabs a certificate from a service and compares it to TLSA records. It can also generate TLSA records.

Dependencies

Usage

Check DANE on some HTTPS service

danetool www.example.com

Check DANE on a SMTP server

danetool --starttls=smtp mail.example.com:25

Use a different name in SNI

danetool myservice.example@hosting.example.net

SNI support needs LuaSec.

Generate a TLSA record

danetool --gen-tlsa=3-0-1 www.example.org

Should give additional output like:

DANE-EE     Cert    SHA2-256
3 0 1 642de54d84c30494157f53f657bf9f89b4ea6c8b16351fd7ec258d556f821040

Options

--starttls

Send some data before starting TLS handshake.

Values (--starttls=???) are:

  • smtp
  • imap
  • xmpp-client
  • xmpp-server

--gen-tlsa

Takes a tripplet of numeric Usage, Selector and Match parameters separated by hypen.

--pem

Dumps the certificate in PEM format.