LibertaCasa/xmpp
9
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

Investigate DANE #6

New Issue
Open
opened 2025-02-05 14:16:25 +01:00 by pratyush · 1 comment
pratyush commented 2025-02-05 14:16:25 +01:00
Owner
Copy Link

https://op-co.de/blog/posts/yax_im_dnssec/

https://op-co.de/blog/posts/yax_im_dnssec/
👍 1
pratyush commented 2025-06-22 14:03:10 +02:00
Author
Owner
Copy Link

Now that the TLSA records are in place, it is not as easy to replace your server certificate as it was before, because the old one is now anchored in DNS.

You need to perform the following steps in order to ensure that all clients will be able to connect at any time:

Obtain the new certificate Create a second set of TLSA records, for the new certificate (keep the old one in place) Wait for the configured DNS time-to-live to ensure that all users have received both sets of TLSA records Replace the old certificate on the server with the new one Remove the old TLSA records If you fail to add the TLSA records and wait the DNS TTL, some clients will have cached a copy of only the old TLSA records, so they will reject your new server certificate.

^ from the article in the first comment.

One can apparently use either the certificate hash or pubkey hash

  • 256 bit certificate hash. Flags need to be set to 1 0 1

    openssl x509 -in /path/to/crt -outform DER | openssl sha256

  • 256 bit public key hash. Flags need to be set to 3 1 1

    openssl pkey -pubout -outform DER -in /path/to/key |
sha256sum - | cut -d' ' -f1

Intending to go with the latter.

Prosody Docs

> Now that the TLSA records are in place, it is not as easy to replace your server certificate as it was before, because the old one is now anchored in DNS. > > You need to perform the following steps in order to ensure that all clients will be able to connect at any time: > > Obtain the new certificate > Create a second set of TLSA records, for the new certificate (keep the old one in place) > Wait for the configured DNS time-to-live to ensure that all users have received both sets of TLSA records > Replace the old certificate on the server with the new one > Remove the old TLSA records > If you fail to add the TLSA records and wait the DNS TTL, some clients will have cached a copy of only the old TLSA records, so they will reject your new server certificate. ^ from the article in the first comment. One can apparently use either the certificate hash or pubkey hash * 256 bit certificate hash. Flags need to be set to `1 0 1` ``` openssl x509 -in /path/to/crt -outform DER | openssl sha256 ``` * 256 bit public key hash. Flags need to be set to `3 1 1` ``` openssl pkey -pubout -outform DER -in /path/to/key | sha256sum - | cut -d' ' -f1 ``` Intending to go with the latter. [Prosody Docs](https://prosody.im/doc/dns#dane)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Something is not working
duplicate
This issue or pull request already exists
enhancement
New feature
help wanted
Need some help
invalid
Something is wrong
question
More information is needed
wontfix
This won't be fixed
Priority: Critical
Priority: High
Priority: Low
Priority: Medium
Type: Sprinkle
Write yaml to salt
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
coderobe Georg grapple Mikaela nish pratyush pytoxic samsepi0l
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: LibertaCasa/xmpp#6
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?