dane_verify_crt - Linux
Overview
dane_verify_crt is a command-line tool used to validate Domain-validated Application Network Enforcement (DANE) certificates, ensuring the authenticity and integrity of TLS connections between clients and servers. It is commonly employed in conjunction with MTA-STS (Mail Transfer Agent Strict Transport Security) to enforce the use of DANE-validated TLS for email delivery.
Syntax
dane_verify_crt [options] crt_files...
Options/Flags
- –skip-tls: Skip checking the TLS server certificate’s DANE TLSA record.
- –ipv4-host: Override the server’s hostname to an IPv4 IP address.
- –ipv6-host: Override the server’s hostname to an IPv6 IP address.
- –tcp-port: Override the default TCP port to use (443).
- –tls-timeout: Set the TLS socket connection timeout in seconds (default: 10).
- –tls-hostname-check: Override the TLS hostname checking (default: True).
- –ca-bundle: Specify a custom CA bundle to use for TLS verification.
- –dns-server: Override the default DNS server to use.
- –dns-timeout: Set the DNS query timeout in seconds (default: 10).
- –dns-retries: Set the number of DNS query retries (default: 3).
- –key-usage: Specify the key usage flags to check for (default: "TLS ServerAuth").
- –key-algorithm: Specify the key algorithm to check for (default: "RSA").
- –key-length: Specify the key length to check for (default: 2048).
- –trust-unknown-issuer: Trust DANE TLSA records signed by unknown issuers (default: False).
- –verbose: Enable verbose output.
- –help: Display help information.
Examples
Simple usage:
dane_verify_crt example.com
Override TLS hostname:
dane_verify_crt --tls-hostname-check=False example.com
Specify a custom CA bundle:
dane_verify_crt --ca-bundle=my-custom-ca-bundle.pem example.com
Common Issues
- No TLSA records found: Ensure that TLSA records are published for the domain.
- TLS hostname mismatch: The TLS server certificate hostname must match the domain in the TLSA record.
- Invalid TLS certificate: The TLS certificate must be valid and signed by a trusted CA.
- DNS resolution timeout: Adjust the DNS timeout and retries to ensure successful DNS queries.
Integration
Automated email verification:
script.sh | dane_verify_crt - | grep "Verified"
Related Commands
- dig
- openssl
- MTA-STS