This application checks a DANE TLS Service. It connects to the specified TLS service and then attempts to authenticate its TLS server certificate according to its corresponding DANE TLSA records in the DNS.
Port: 443
Domain name: johnscott.me
Checking Transcript:
Host: johnscott.me Port: 443 SNI: johnscott.me DNS TLSA RRset: qname: _443._tcp.johnscott.me. 3 1 0 3059301306072a8648ce3d020106082a8648ce3d030107034200045b7834ab6cfc5cf55135bd1e670c6184e28164e54970862b4521ecf66b14f40de2d48e266d377569d9366d8f91319ab33179d7794b858a0eeb735daf981a1294 IP Addresses found: 2600:3c03::f03c:93ff:fef6:24 172.104.214.157 ## Checking johnscott.me 2600:3c03::f03c:93ff:fef6:24 port 443 DANE TLSA 3 1 0 [30593013..]: not checked Result: FAILED: dial tcp [2600:3c03::f03c:93ff:fef6:24]:443: connect: no route to host ## Checking johnscott.me 172.104.214.157 port 443 DANE TLSA 3 1 0 [30593013..]: OK matched EE certificate ## Peer Certificate Chain: 0 CN=johnscott.me CN=R3,O=Let's Encrypt,C=US 1 CN=R3,O=Let's Encrypt,C=US CN=ISRG Root X1,O=Internet Security Research Group,C=US 2 CN=ISRG Root X1,O=Internet Security Research Group,C=US CN=DST Root CA X3,O=Digital Signature Trust Co. ## PKIX Certificate Chain 0: 0 CN=johnscott.me CN=R3,O=Let's Encrypt,C=US 1 CN=R3,O=Let's Encrypt,C=US CN=ISRG Root X1,O=Internet Security Research Group,C=US 2 CN=ISRG Root X1,O=Internet Security Research Group,C=US CN=ISRG Root X1,O=Internet Security Research Group,C=US ## DANE Certificate Chain 0: 0 CN=johnscott.me CN=R3,O=Let's Encrypt,C=US 1 CN=R3,O=Let's Encrypt,C=US CN=ISRG Root X1,O=Internet Security Research Group,C=US 2 CN=ISRG Root X1,O=Internet Security Research Group,C=US CN=DST Root CA X3,O=Digital Signature Trust Co. ## TLS Connection Info: TLS version: TLS1.3 CipherSuite: TLS_AES_128_GCM_SHA256 ## End-Entity Certificate Info: X509 version: 3 Serial#: 36409f3fc5907d7974470d6e3737c61bffb Subject: CN=johnscott.me Issuer: CN=R3,O=Let's Encrypt,C=US SAN dNSName: johnscott.me Signature Algorithm: SHA256-RSA PublicKey Algorithm: ECDSA 511-Bits Inception: 2023-04-11 19:41:25 +0000 UTC Expiration: 2023-07-10 19:41:24 +0000 UTC KU: DigitalSignature EKU: ServerAuth ClientAuth Is CA?: false SKI: fe321b4f3a7dd5052fb300a76213b347600f5397 AKI: 142eb317b75856cbae500940e61faf9d8b14c2c6 OSCP Servers: [http://r3.o.lencr.org] CA Issuer URL: [http://r3.i.lencr.org/] CRL Distribution: [] Policy OIDs: [2.23.140.1.2.1 1.3.6.1.4.1.44947.1.1.1] Result: DANE OK [1] Authentication succeeded for some (1 of 2) peers.