1 SWEDE - a tool to create and verify TLSA (DANE) records
2 ================================================================================
3 Swede aims to provide a one-stop solutions to create and test TLSA records.
6 --------------------------------------------------------------------------------
7 swede is copyright Pieter Lexis <pieter.lexis@os3.nl> and is licensed under the
8 terms of the GNU General Public Licence version 2 or higher.
11 --------------------------------------------------------------------------------
13 - python-{unbound, argparse, ipaddr, m2crypto}
15 swede has been tested on Debian 6 (Squeeze) using the python-unbound package
16 from squeeze-backports.
19 --------------------------------------------------------------------------------
20 - Creation of all 24 permutations of TLSA records
21 - Output in draft and RFC format
22 - Ability to load certificates from disk to create records from
23 - Verify TLSA records 'in the field' with the certificates offered by the TLS
24 service running on the server
27 --------------------------------------------------------------------------------
28 See EXAMPLES below and try the following:
34 --------------------------------------------------------------------------------
35 swede create --usage 1 --output rfc www.os3.nl
36 swede --insecure create --usage 0 mail.google.com
38 swede verify -p 1516 dane.kiev.practicum.os3.nl
39 swede verify ulthar.us
41 --------------------------------------------------------------------------------
42 - Create and verify should check the CN in the Subject of the certificate
43 - The verification for usage 2 is _VERY_ naive
44 - IPv6 support (M2Crypto doesnt support it at the moment)
45 - Creation tool that does an AXFR for a full zone, collects all hostnames, gets
46 the certificates (or the CA certificate from the commandline) and creates all
48 - Test certificates (other than using the functions in M2Crypto) when no chain
49 is presented during the TLS session
53 --------------------------------------------------------------------------------
54 - swede is mostly untested.
55 - Not everything that can raise an exception is in a try/except block
56 - No support for SRV record indirection (see Issue 28 of the DANE-WG)
57 - No support for TLS/SSL over UDP or SCTP
58 - No support for STARTTLS type protocols (only 'straight' SSL/TLS conections)