Re: Let's Encrypt retired and new issuer CAs

26 Aug 2024

      On Mon, Aug 26, 2024 at 11:20:52AM +1000, Viktor Dukhovni wrote:
...
...
and, I publish both RSA and ECDSA DANE records.
If you also have both certificate algorithms deployed live on your
server keep in mind that you then need two sets of "3 1 1" records,
one for each algorithm:
https://mail.sys4.de/pipermail/dane-users/2017-August/000416.html

I see that you've indeed published "3 1 2" records for both your RSA and
your ECDSA certificate.  This is in my view an "expert" configuration.
Make sure you have monitoring in place on your end to catch any problems
that might occur around future certificate renewals.
Note also that the "ISRG X1" or "ISRG X2" root CA cert (whichever is the
issuer of your intermediate CA cert) is not included in your server
certificate chain file, so the TLSA records for these won't work with
at least the DANE TLSA code in Postfix and Exim and likely other MTAs.
_25._tcp.mx2-edge.censored.net. IN TLSA 2 1 1 025490860b498ab73c6a12f27a49ad5fe230fafe3ac8f6112c9b7d0aad46941d
  _25._tcp.mx2-edge.censored.net. IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3
  _25._tcp.mx2-edge.censored.net. IN TLSA 2 1 1 2bbad93ab5c79279ec121507f272cbe0c6647a3aae52e22f388afab426b4adba
  _25._tcp.mx2-edge.censored.net. IN TLSA 2 1 1 3586d4ecf070578cbd27aedce20b964e48bc149faeb9dad72f46b857869172b8
  _25._tcp.mx2-edge.censored.net. IN TLSA 2 1 1 6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7
  _25._tcp.mx2-edge.censored.net. IN TLSA 2 1 1 762195c225586ee6c0237456e2107dc54f1efc21f61a792ebd515913cce68332
  _25._tcp.mx2-edge.censored.net. IN TLSA 2 1 1 885bf0572252c6741dc9a52f5044487fef2a93b811cdedfad7624cc283b7cdd5
  _25._tcp.mx2-edge.censored.net. IN TLSA 2 1 1 919c0df7a787b597ed056ace654b1de9c0387acf349f73734a4fd7b58cf612a4
  _25._tcp.mx2-edge.censored.net. IN TLSA 2 1 1 cbbc559b44d524d6a132bdac672744da3407f12aae5d5f722c5f6c7913871c75
  _25._tcp.mx2-edge.censored.net. IN TLSA 2 1 1 d016e1fe311948aca64f2de44ce86c9a51ca041df6103bb52a88eb3f761f57d7
  _25._tcp.mx2-edge.censored.net. IN TLSA 2 1 1 f1440a9b76e1e41e53a4cb461329bf6337b419726be513e42e19f1c691c5d4b2
  _25._tcp.mx2-edge.censored.net. IN TLSA 2 1 1 f1647a5ee3efac54c892e930584fe47979b7acd1c76c1271bca1c5076d869888
  _25._tcp.mx2-edge.censored.net. IN TLSA 3 1 2 1b1436e45b1d56e4183f45d81f0fff48ea193aeda60d99b037945cc1d20fbfecd3da2b5d5de75fdfe0cf0420891d649957568c0cb8dc7cdae83ff4d21ac4e3fa
  _25._tcp.mx2-edge.censored.net. IN TLSA 3 1 2 eec904205869cafa231f037b958e3ce7cde10443464261b01f5b95d852dd50cdefee7cead8b79792dca7fb1ea4f138fc615d1a2018133fc2d94d1260e012bf5a
mx2-edge.censored.net[192.0.2.1]: pass: TLSA match: depth = 0, name = mx2-edge.censored.net
    TLS = TLS13 with CHACHA20POLY1305-SHA256,X25519,PubKeyALG_EC
    name = mx1-edge.censored.net
    name = mx2-edge.censored.net
    depth = 0
      Issuer CommonName = E6
      Issuer Organization = Let's Encrypt
      notBefore = 2024-08-25T15:51:37Z
      notAfter = 2024-11-23T15:51:36Z
      Subject CommonName = mx1-edge.censored.net
      pkey sha512 [matched] <- 3 1 2 eec904205869cafa231f037b958e3ce7cde10443464261b01f5b95d852dd50cdefee7cead8b79792dca7fb1ea4f138fc615d1a2018133fc2d94d1260e012bf5a
    depth = 1
      Issuer CommonName = ISRG Root X2
      Issuer Organization = Internet Security Research Group
      notBefore = 2024-03-13T00:00:00Z
      notAfter = 2027-03-12T23:59:59Z
      Subject CommonName = E6
      Subject Organization = Let's Encrypt
      pkey sha256 [matched] <- 2 1 1 d016e1fe311948aca64f2de44ce86c9a51ca041df6103bb52a88eb3f761f57d7
-- 
    Viktor.

P.S.

The DANE survey cannot detect any problems with your RSA certificate,
because your servers choose ECDSA even when the client prefers RSA, and
the survey engine only rotates its RSA/ECDSA preference between tests,
but does not do multiple probes limiting the supported algorithms to one
or the other.  So you're on your own for testing that RSA still works.

My "danesmtp" bash function can probe specific signature algorithms:

    https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/thread/NKDBQABS...

    $ rsa="rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pkcs1_sha256:rsa_pkcs1_sha384:rsa_pkcs1_sha512"
    $ ecdsa="ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384:ecdsa_secp521r1_sha512"

    $ danesmtp mx2-edge.censored.net -sigalgs "$ecdsa"
    CONNECTION ESTABLISHED
    Protocol version: TLSv1.3
    Ciphersuite: TLS_CHACHA20_POLY1305_SHA256
    Peer certificate: CN = mx1-edge.censored.net
    Hash used: SHA384
    Signature type: ECDSA
    Verification: OK
    DANE TLSA 3 1 2 ...18133fc2d94d1260e012bf5a matched EE certificate at depth 0
    Server Temp Key: X25519, 253 bits
    250 SMTPUTF8
    DONE

    $ danesmtp mx2-edge.censored.net -sigalgs "$rsa"
    CONNECTION ESTABLISHED
    Protocol version: TLSv1.3
    Ciphersuite: TLS_CHACHA20_POLY1305_SHA256
    Peer certificate: CN = mx1-edge.censored.net
    Hash used: SHA256
    Signature type: RSA-PSS
    Verification: OK
    DANE TLSA 3 1 2 ...b8dc7cdae83ff4d21ac4e3fa matched EE certificate at depth 0
    Server Temp Key: X25519, 253 bits
    250 SMTPUTF8
    DONE

The exit status was 0 in both cases, indicating success.

Further tweaks are needed to the code to test whether *specific* TLSA
records (e.g. the ones intended to match the root CAs) are effective,
you'd need to trim or override the TLSA records passed by the function
to "s_client".