zum Validieren von TLSA Records gibt es mehrere Tools.
Aus Holland: ldns-dane
Dies ist aus dem Paket ldns-utils zu haben. Voraussetzung eine Version >=1.6.16. Bei Debian aktuell nur über Backports erhältlich, oder natürlich selbst kompilieren.
apt-get install ldns-utils
Verwendung:
ldns-dane verify example.com 443
Korrekte Ausgabe:
192.168.0.12 dane-validated successfully
Tool 2: posttls-finger aus dem Postfix Paket
posttls-finger -c -L verbose,summary example.org
Bei Problemen kann noch der Timeout mit -t und -T erhöht werden.
Aus der Manpage:
-t timeout (default: 30)
The TCP connection timeout to use. This is also the timeout for reading the remote server's 220 banner.
-T timeout (default: 30)
The SMTP/LMTP command timeout for EHLO/LHLO, STARTTLS and QUIT.
Ausgabe:
:~ > posttls-finger -c -L verbose,summary example.org posttls-finger: initializing the client-side TLS engine posttls-finger: using DANE RR: _25._tcp.mta4.example.org IN TLSA 2 0 2 20:2F:CF:F5:3E:65:DE:B4:C2:AB:C3:EC:6D:8F:DC:FA:5C:B7:84:A9:77:38:0E:81:D5:EF:9A:B6:F0:86:E4:93:CB:85:C6:81:22:6C:14:ED:40:A7:96:7F:EA:BC:B7:82:6F:CE:59:71:F2:9A:B1:88:FF:C6:2C:FD:F9:BF:C9:86 posttls-finger: Failed to establish session to example.org via mta4.example.org: connect to mta4.example.org[192.168.0.138]:25: Connection refused posttls-finger: using DANE RR: _25._tcp.mta3.example.org IN TLSA 2 0 2 20:2F:CF:F5:3E:65:DE:B4:C2:AB:C3:EC:6D:8F:DC:FA:5C:B7:84:A9:77:38:0E:81:D5:EF:9A:B6:F0:86:E4:93:CB:85:C6:81:22:6C:14:ED:40:A7:96:7F:EA:BC:B7:82:6F:CE:59:71:F2:9A:B1:88:FF:C6:2C:FD:F9:BF:C9:86 posttls-finger: setting up TLS connection to mta3.example.org[192.168.0.137]:25 posttls-finger: mta3.example.org[192.168.0.137]:25: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL" posttls-finger: mta3.example.org[192.168.0.137]:25: depth=1 matched trust anchor certificate sha512 digest 20:2F:CF:F5:3E:65:DE:B4:C2:AB:C3:EC:6D:8F:DC:FA:5C:B7:84:A9:77:38:0E:81:D5:EF:9A:B6:F0:86:E4:93:CB:85:C6:81:22:6C:14:ED:40:A7:96:7F:EA:BC:B7:82:6F:CE:59:71:F2:9A:B1:88:FF:C6:2C:FD:F9:BF:C9:86 posttls-finger: mta3.example.org[192.168.0.137]:25: depth=0 trust-anchor certificate posttls-finger: mta3.example.org[192.168.0.137]:25: depth=1 verify=1 subject=/C=DE/ST=noWhere/L=noWhere/O=Internet Widgits Pty Ltd/OU=example.org/CN=example.org/emailAddress=ssl@example.org posttls-finger: mta3.example.org[192.168.0.137]:25: depth=0 verify=1 subject=/C=DE/ST=noWhere/L=noWhere/O=mta3.example.org/OU=mta3.example.org/CN=mta3.example.org/emailAddress=ssl@example.org posttls-finger: mta3.example.org[192.168.0.137]:25 Matched CommonName mta3.example.org posttls-finger: mta3.example.org[192.168.0.137]:25: subject_CN=mta3.example.org, issuer_CN=example.org, fingerprint=30:49:FB:D2:F3:D4:B3:D1:B5:32:C2:4B:1C:E7:D1:6A:AC:63:C7:D7, pkey_fingerprint=DF:48:73:8C:0B:E2:4B:30:50:EE:4D:AF:9F:A4:2F:1C:98:A4:BF:8F posttls-finger: Verified TLS connection established to mta3.example.org[192.168.0.137]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)