Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 502372 - Please use TLSA
Summary: Please use TLSA
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Infrastructure
URL:
Whiteboard:
Keywords:
: 508756 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-02-25 01:26 UTC by James Cloos
Modified: 2017-12-21 23:49 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
tlsagen (tlsagen,1.47 KB, text/plain)
2014-04-26 13:10 UTC, Eray Aslan 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description James Cloos 2014-02-25 01:26:55 UTC 
Given that the gentoo.org zone is signed, it would be beneficial to add tlsa records.

At the very least, _25._tcp.mail.gentoo.org and _25._tcp.lists.gentoo.org should be added.  (But fix bug #502370 before adding _25._tcp.lists.gentoo.org. A type 3 cert for _25._tcp.mail.gentoo.org can be added at any time.)

3 1 1 or 3 0 1 tlsa do well for mx.

Entries for the https servers also can be added.
Comment 1 Alex Xu (Hello71) 2014-02-25 02:09:51 UTC 
How would DANE be useful?
Comment 2 James Cloos 2014-02-25 10:04:35 UTC 
It would enable MTAs which send to @lists.gentoo.org and @gentoo.org to verify that the mail actually makes it to the MX.  And without a MitM.

Even though not many support checking (postfix added it in 2.11, the current ~ version) yet, most MTAs do not link in the /etc/ssl/certs CAs, and as such will do no verifications w/o dane.

And given that gentoo.org is already signed, the cost is negligible.

As an aside, debian supports dane, and the ietf MXs will add it as soon as the contractor gets tls working.  Which is expected to be right after the upcoming meeting.

There will, I expect, over time also be a positive reputation benefit for the project in the form of evidence of security conscienceness and community leadership.
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2014-02-25 20:53:19 UTC 
I'll get there, I have promised DANE for a long time for Gentoo, I just need to work on better automating generation of the DNS records from our certs.

Not just for mail, but for WWW as well.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2014-04-26 11:49:33 UTC 
*** Bug 508756 has been marked as a duplicate of this bug. ***
Comment 5 Eray Aslan gentoo-dev 2014-04-26 13:10:57 UTC 
Created attachment 375766 [details]
tlsagen

Attached is the script I use to generate the TLSA records for MX hosts (courtesy of Victor Duchovni of postfix).

    $ tlsagen cert.pem $(uname -n) DANE-EE PKEY SHA2-256
    _25._tcp.mail.example.com IN TLSA 3 1 1 {hex string}

where "cert.pem" is the file with the SMTP server certificate, and $(uname -n) is the fully-qualified domain name of the server as an MX host for your domain.

The shell script expects OpenSSL 1.0.0 or later, and will not work
with earlier versions.

When rotating keys, publish both the new and old TLSA records well in advance.

Adjust as needed for https.  Hope it helps.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-12-21 11:46:28 UTC 
While DANE/TLSA is available for gentoo.org, forums.gentoo.org or gitweb.gentoo.org, it is not available for wiki.gentoo.org and bugs.gentoo.org. Can you please have a look?
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2017-12-21 23:49:27 UTC 
TLSA implemented everywhere, please open new bugs for any missing parts you see