Wildcard certificate and DANE/TLSA records
Hello,
I'm working with a wildcard certificate[0] for a domain that I'm trying to add dane/tlsa records. There are a series of MX servers that use this certificate and I thought that I could put the specific name of the server into the TLSA record and that would work, but when I try to test that with one of the testers online, they fail to verify it, I think because there is no specific match to the name.
For example, I made these records using the certificate chain for the input to danetool:
danetool --tlsa-rr --host mx1.riseup.net --load-certificate ./wildcard_server_chain.pem --app-proto=smtp --ca --x509
_25._tcp.mx1.riseup.net. IN CNAME tlsa._mxdane.riseup.net. tlsa._mxdane.riseup.net. IN TLSA ( 02 00 01 3814e3eaf91e30451790697a98b1b5594cdbdfef4a73ef5a47ed33c556816645 )
But when I try to test that, I get:
################################################################# ### CHECKING MX HOST: mx1.riseup.net #################################################################
TLSA records found: 1 TLSA: 2 0 1 3814e3eaf91e30451790697a98b1b5594cdbdfef4a73ef5a47ed33c556816645
Connecting to IPv4 address: 198.252.153.129 port 25 recv: 220-mx1.riseup.net ESMTP (spam is not appreciated) recv: 220 mx1.riseup.net ESMTP (spam is not appreciated) send: EHLO cheetara.huque.com recv: 250-mx1.riseup.net recv: 250-PIPELINING recv: 250-SIZE 25600000 recv: 250-ETRN recv: 250-STARTTLS recv: 250-ENHANCEDSTATUSCODES recv: 250-8BITMIME recv: 250 DSN send: STARTTLS recv: 220 2.0.0 Ready to start TLS TLSv1.2 handshake succeeded. Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 Peer Certificate chain: 0 Subject CN: *.riseup.net Issuer CN: COMODO RSA Domain Validation Secure Server CA 1 Subject CN: COMODO RSA Domain Validation Secure Server CA Issuer CN: COMODO RSA Certification Authority 2 Subject CN: COMODO RSA Certification Authority Issuer CN: AddTrust External CA Root 3 Subject CN: AddTrust External CA Root Issuer CN: AddTrust External CA Root SAN dNSName: *.riseup.net SAN dNSName: riseup.net Error: peer authentication failed. rc=65 (No matching DANE TLSA records)
[2] Authentication failed for all (1) peers.
I suspect this is because the SAN dNSName does not specify mx1.riseup.net? I cannot find any specific details for how wildcards are handled in the RFCs.
Did I define the record incorrectly, or generate the hash over the wrong pieces? I thought maybe it was because I used the PEM encoded cert chain, but its not possible to generate a DER when the input is a multiple cert file.
Thanks for any help!
0. yes, I am aware of why wildcards are discouraged, but this is what I have to work with here.
On Mon, Dec 31, 2018 at 12:52:38PM -0500, zorion wrote:
I'm working with a wildcard certificate[0] for a domain that I'm trying to add dane/tlsa records.
[side comment] I don't recommend these. They often lead to single-point of failure problems, as the certificate tends to be replaced at the same time across all MX hosts, and if there's a problem they all fail.
If you have just one MX host, you don't need a wildcard certificate, if you have many, you gain a single point of failure. Better to have a separate certificate for each MX host. [/side comment]
[...] but when I try to test that with one of the testers online, they fail to verify it, I think because there is no specific match to the name.
No. That's not the problem.
For example, I made these records using the certificate chain for the input to danetool:
danetool --tlsa-rr --host mx1.riseup.net --load-certificate ./wildcard_server_chain.pem --app-proto=smtp --ca --x509
You're using the *end-entity* certificate to compute a digest that you then advertise as a digest of the *trust-anchor* issing CA. Naturally, these fail to match.
Here's what "danecheck" has to report (the "-->>" arrows are added by me):
riseup.net. IN MX 10 mx1.riseup.net. ; AD=1 NoError mx1.riseup.net. IN A 198.252.153.129 ; AD=1 NoError mx1.riseup.net. IN AAAA ? ; AD=1 NODATA _25._tcp.mx1.riseup.net. IN CNAME tlsa._mxdane.riseup.net. ; AD=1 NoError tlsa._mxdane.riseup.net. IN TLSA 2 0 1 3814e3eaf91e30451790697a98b1b5594cdbdfef4a73ef5a47ed33c556816645 ; AD=1 NoError mx1.riseup.net[198.252.153.129]: tlsa-mismatch TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384 name = *.riseup.net name = riseup.net depth = 0 Issuer CommonName = COMODO RSA Domain Validation Secure Server CA Issuer Organization = COMODO CA Limited notBefore = 2018-10-15T00:00:00Z notAfter = 2019-10-15T23:59:59Z Subject CommonName = *.riseup.net 1-->> cert sha256 [nomatch] <- 3 0 1 3814e3eaf91e30451790697a98b1b5594cdbdfef4a73ef5a47ed33c556816645 pkey sha256 [nomatch] <- 3 1 1 ff62cc1ec0a038b0eeebc323924be6caed3b3d56edcc9bfb943c1f2d09cdfb77 depth = 1 Issuer CommonName = COMODO RSA Certification Authority Issuer Organization = COMODO CA Limited notBefore = 2014-02-12T00:00:00Z notAfter = 2029-02-11T23:59:59Z Subject CommonName = COMODO RSA Domain Validation Secure Server CA Subject Organization = COMODO CA Limited 2-->> cert sha256 [nomatch] <- 2 0 1 02ab57e4e67a0cb48dd2ff34830e8ac40f4476fb08ca6be3f5cd846f646840f0 pkey sha256 [nomatch] <- 2 1 1 9253b6de74f67a11435c27f1dde1d30d1112333ddab23d66b8efb86887638ae6 depth = 2 Issuer CommonName = AddTrust External CA Root Issuer Organization = AddTrust AB notBefore = 2000-05-30T10:48:38Z notAfter = 2020-05-30T10:48:38Z Subject CommonName = COMODO RSA Certification Authority Subject Organization = COMODO CA Limited 3-->> cert sha256 [nomatch] <- 2 0 1 4f32d5dc00f715250abcc486511e37f501a899deb3bf7ea8adbbd3aef1c412da pkey sha256 [nomatch] <- 2 1 1 82b5f84daf47a59c7ab521e4982aefa40a53406a3aec26039efa6b2e0e7244c1 depth = 3 Issuer CommonName = AddTrust External CA Root Issuer Organization = AddTrust AB notBefore = 2000-05-30T10:48:38Z notAfter = 2020-05-30T10:48:38Z Subject CommonName = AddTrust External CA Root Subject Organization = AddTrust AB 4-->> cert sha256 [nomatch] <- 2 0 1 687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2 pkey sha256 [nomatch] <- 2 1 1 942a6916a6e4ae527711c5450247a2a74fb8e156a8254ca66e739a11493bb445
In potential match 1 the digest matches, but the usage is "3 0 1", and your TLSA record is "2 0 1", so no go. In 2, 3 and 4, the digests don't match.
..., or generate the hash over the wrong pieces?
Yes.
- yes, I am aware of why wildcards are discouraged, but this is what I
have to work with here.
Yes, with care they can be made to work.
participants (2)
-
Viktor Dukhovni
-
zorion