This is a tool that grabs a certificate from a service and compares it to TLSA records. It can also generate TLSA records.
Dependencies
- LuaSocket
- LuaSec >=0.5, with 0.6 needed for SPKI support
- luaunbound
- argparse
- Hash library, optional, but recommended for SPKI support
- Lua OpenSSL
- LuaCrypto
util.hashes
from Prosody
Usage
Check DANE on some HTTPS service
danetool www.example.com
Check DANE on a SMTP server
danetool --starttls=smtp mail.example.com:25
Use a different name in SNI
danetool myservice.example@hosting.example.net
SNI support needs LuaSec.
Generate a TLSA record
danetool --gen-tlsa=3-0-1 www.example.org
Should give additional output like:
DANE-EE Cert SHA2-256
3 0 1 642de54d84c30494157f53f657bf9f89b4ea6c8b16351fd7ec258d556f821040
Options
--starttls
Send some data before starting TLS handshake.
Values (--starttls=???
) are:
smtp
imap
xmpp-client
xmpp-server
--gen-tlsa
Takes a tripplet of numeric Usage, Selector and Match parameters separated by hypen.
--pem
Dumps the certificate in PEM format.