Check a DANE TLS Service

This application checks a DANE TLS Service. It connects to the specified TLS service and then attempts to authenticate its TLS server certificate according to its corresponding DANE TLSA records in the DNS.

Port: 443
Domain name: johnscott.me

DANE Authentication partially successful.


Checking Transcript: 

Host: johnscott.me Port: 443
SNI: johnscott.me
DNS TLSA RRset:
  qname: _443._tcp.johnscott.me.
  3 1 1 749668855d3b65315767373bf854461abb7848e3157a5dbca714eb50defe6d5b
  3 1 1 3c2ac10bea704d0cb6ef440690535e563ba144dfc263d77ef0ebd62f2b5f82da
IP Addresses found:
  2600:3c03::f03c:93ff:fef6:24
  172.104.214.157

## Checking johnscott.me 2600:3c03::f03c:93ff:fef6:24 port 443
DANE TLSA 3 1 1 [74966885..]: not checked
DANE TLSA 3 1 1 [3c2ac10b..]: not checked
Result: FAILED: dial tcp [2600:3c03::f03c:93ff:fef6:24]:443: connect: no route to host

## Checking johnscott.me 172.104.214.157 port 443
DANE TLSA 3 1 1 [74966885..]: OK matched EE certificate
DANE TLSA 3 1 1 [3c2ac10b..]: FAIL did not match EE certificate
## Peer Certificate Chain:
   0 CN=johnscott.me
     CN=E5,O=Let's Encrypt,C=US
   1 CN=E5,O=Let's Encrypt,C=US
     CN=ISRG Root X1,O=Internet Security Research Group,C=US
## PKIX Certificate Chain 0:
   0 CN=johnscott.me
     CN=E5,O=Let's Encrypt,C=US
   1 CN=E5,O=Let's Encrypt,C=US
     CN=ISRG Root X1,O=Internet Security Research Group,C=US
   2 CN=ISRG Root X1,O=Internet Security Research Group,C=US
     CN=ISRG Root X1,O=Internet Security Research Group,C=US
## DANE Certificate Chain 0:
   0 CN=johnscott.me
     CN=E5,O=Let's Encrypt,C=US
   1 CN=E5,O=Let's Encrypt,C=US
     CN=ISRG Root X1,O=Internet Security Research Group,C=US
## TLS Connection Info:
   TLS version: 1.3
   CipherSuite: TLS_AES_128_GCM_SHA256
## End-Entity Certificate Info:
   X509 version: 3
   Serial#: 335d4e21114d55f2aa438f5bf9f3c2b2d84
   Subject: CN=johnscott.me
   Issuer:  CN=E5,O=Let's Encrypt,C=US
   SAN dNSName: *.johnscott.me
   SAN dNSName: johnscott.me
   Signature Algorithm: ECDSA-SHA384
   PublicKey Algorithm: ECDSA 510-Bits
   Inception:  2025-02-04 22:02:24 +0000 UTC
   Expiration: 2025-05-05 22:02:23 +0000 UTC
   KU: DigitalSignature
   EKU: ServerAuth ClientAuth
   Is CA?: false
   SKI: 23295582b5340238913d99b9652f0e5a3ad8e5f1
   AKI: 9f2b5fcf3c214f9d04b7ed2b2cc4c6708bd2d70d
   OSCP Servers: [http://e5.o.lencr.org]
   CA Issuer URL: [http://e5.i.lencr.org/]
   CRL Distribution: []
   Policy OIDs: [2.23.140.1.2.1]
Result: DANE OK

[1] Authentication succeeded for some (1 of 2) peers.



Check another DANE service?

Other DANE Tools

References