💾 Archived View for thebackupbox.net › ~epoch › blog › tlsa captured on 2024-12-17 at 10:12:46. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2024-07-09)
-=-=-=-=-=-=-
(thank you to tomasino for having cosmic.voyage use TLSA records)
brandname openssl has some TLSA support
openssl s_client -connect cosmic.voyage:1965 -dane_tlsa_domain cosmic.voyage -dane_tlsa_rrdata "$(dig +short -t TLSA _1965._tcp.cosmic.voyage)"
there's a python script that will verify tlsa records for you.
lot easier to use than the other two
because it does its own DNS lookups.
https://github.com/letoams/hash-slinger
https://packages.debian.org/hash-slinger
tlsa --verify --port 1965 cosmic.voyage
there's another little tool that can do tlsa checking, this time in C.
https://github.com/vdukhovni/ssl_dane
echo | openssl s_client -connect cosmic.voyage:1965 | openssl x509 -out cosmic.cert
LD_LIBRARY_PATH=. ./connected 3 1 sha256 cosmic.cert cosmic.cert 1965 cosmic.voyage
I'm not sure why this "works", but it is probably wrong. it isn't using the value from the TLSA record
at all, just two copies of the cert.