dane_verify_crt - Linux

Overview

dane_verify_crt is a command-line tool used to validate Domain-validated Application Network Enforcement (DANE) certificates, ensuring the authenticity and integrity of TLS connections between clients and servers. It is commonly employed in conjunction with MTA-STS (Mail Transfer Agent Strict Transport Security) to enforce the use of DANE-validated TLS for email delivery.

Syntax

dane_verify_crt [options] crt_files...

Options/Flags

  • –skip-tls: Skip checking the TLS server certificate’s DANE TLSA record.
  • –ipv4-host: Override the server’s hostname to an IPv4 IP address.
  • –ipv6-host: Override the server’s hostname to an IPv6 IP address.
  • –tcp-port: Override the default TCP port to use (443).
  • –tls-timeout: Set the TLS socket connection timeout in seconds (default: 10).
  • –tls-hostname-check: Override the TLS hostname checking (default: True).
  • –ca-bundle: Specify a custom CA bundle to use for TLS verification.
  • –dns-server: Override the default DNS server to use.
  • –dns-timeout: Set the DNS query timeout in seconds (default: 10).
  • –dns-retries: Set the number of DNS query retries (default: 3).
  • –key-usage: Specify the key usage flags to check for (default: "TLS ServerAuth").
  • –key-algorithm: Specify the key algorithm to check for (default: "RSA").
  • –key-length: Specify the key length to check for (default: 2048).
  • –trust-unknown-issuer: Trust DANE TLSA records signed by unknown issuers (default: False).
  • –verbose: Enable verbose output.
  • –help: Display help information.

Examples

Simple usage:

dane_verify_crt example.com

Override TLS hostname:

dane_verify_crt --tls-hostname-check=False example.com

Specify a custom CA bundle:

dane_verify_crt --ca-bundle=my-custom-ca-bundle.pem example.com

Common Issues

  • No TLSA records found: Ensure that TLSA records are published for the domain.
  • TLS hostname mismatch: The TLS server certificate hostname must match the domain in the TLSA record.
  • Invalid TLS certificate: The TLS certificate must be valid and signed by a trusted CA.
  • DNS resolution timeout: Adjust the DNS timeout and retries to ensure successful DNS queries.

Integration

Automated email verification:

script.sh | dane_verify_crt - | grep "Verified"

Related Commands

  • dig
  • openssl
  • MTA-STS