1 SWEDE - tools to create and verify TLSA (DANE) records
2 ================================================================================
3 Swede aims to provide a one-stop solutions to create and test TLSA records.
6 --------------------------------------------------------------------------------
7 swede is copyright Pieter Lexis <pieter.lexis@os3.nl> and is licensed under the
8 terms of the GNU General Public Licence version 2 or higher.
11 --------------------------------------------------------------------------------
13 - python-{unbound, argparse, ipaddr, m2crypto}
15 swede has been tested on Debian 6 (Squeeze) using the python-unbound package
16 from squeeze-backports.
19 --------------------------------------------------------------------------------
20 - Creation of all 18 permutations of TLSA records
21 - Output in draft and RFC format
22 - Ability to load certificates from disk to create records from
23 - Verify TLSA records 'in the field' with the certificates offered by the TLS
24 service running on the server
27 --------------------------------------------------------------------------------
28 See EXAMPLES below and try the following:
34 --------------------------------------------------------------------------------
35 swede create --usage 1 --output rfc www.os3.nl
36 swede --insecure create --usage 0 mail.google.com
38 swede verify -p 1516 dane.kiev.practicum.os3.nl
39 swede verify ulthar.us
41 --------------------------------------------------------------------------------
42 - Creation tool that checks the CN in the Subject of the certificate
43 - IPv6 support (M2Crypto doesnt support it at the moment)
44 - Creation tool that does an AXFR for a full zone, collects all hostnames, gets
45 the certificates (or the CA certificate from the commandline) and creates all
47 - Test certificates (other than using the functions in M2Crypto) when no chain
48 is presented during the TLS session
52 --------------------------------------------------------------------------------
53 - swede is mostly untested.
54 - Not everything that can raise an exception is in a try/except block
55 - No support for SRV record indirection (see Issue 28 of the DANE-WG)
56 - No support for TLS/SSL over UDP or SCTP
57 - No support for STARTTLS type protocols (only 'straight' SSL/TLS conections)