Check a DANE TLS Service

This application checks a DANE TLS Service. It connects to the specified TLS service and then attempts to authenticate its TLS server certificate according to its corresponding DANE TLSA records in the DNS.

Port: 443
Domain name: www.n2diving.net

DANE Authentication Successful.


Checking Transcript:

Host: www.n2diving.net Port: 443
SNI: www.n2diving.net
DNS TLSA RRset:
  qname: _443._tcp.www.n2diving.net.
  0 0 1 3abbe63daf756c5016b6b85f52015fd8e8acbe277c5087b127a60563a841ed8a
IP Addresses found:
  2606:4700:3037::ac43:d7b7
  2606:4700:3031::6815:4b40
  172.67.215.183
  104.21.75.64

## Checking www.n2diving.net 2606:4700:3037::ac43:d7b7 port 443
DANE TLSA 0 0 1 [3abbe63d..]: OK matched TA certificate at depth 1
## Peer Certificate Chain:
   0 CN=sni.cloudflaressl.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US
     CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
   1 CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
     CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
## Verified Certificate Chain 0:
   0 CN=sni.cloudflaressl.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US
     CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
   1 CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
     CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
   2 CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
     CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
## TLS Connection Info:
   TLS version: TLS1.3
   CipherSuite: TLS_AES_128_GCM_SHA256
## End-Entity Certificate Info:
   X509 version: 3
   Serial#: 9dd3362c47ad13eb056ac52ba5c1557
   Subject: CN=sni.cloudflaressl.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US
   Issuer:  CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
   SAN dNSName: sni.cloudflaressl.com
   SAN dNSName: n2diving.net
   SAN dNSName: *.n2diving.net
   Signature Algorithm: ECDSA-SHA256
   PublicKey Algorithm: ECDSA 510-Bits
   Inception:  2021-06-15 00:00:00 +0000 UTC
   Expiration: 2022-06-14 23:59:59 +0000 UTC
   KU: DigitalSignature
   EKU: ServerAuth ClientAuth
   Is CA?: false
   SKI: 351a7b46ce2759b923f9a48fc86238ffa4b589ed
   AKI: a5ce37eaebb0750e946788b445fad9241087961f
   OSCP Servers: [http://ocsp.digicert.com]
   CA Issuer URL: [http://cacerts.digicert.com/CloudflareIncECCCA-3.crt]
   CRL Distribution: [http://crl3.digicert.com/CloudflareIncECCCA-3.crl http://crl4.digicert.com/CloudflareIncECCCA-3.crl]
   Policy OIDs: [2.23.140.1.2.2]
Result: DANE OK

## Checking www.n2diving.net 2606:4700:3031::6815:4b40 port 443
DANE TLSA 0 0 1 [3abbe63d..]: OK matched TA certificate at depth 1
## Peer Certificate Chain:
   0 CN=sni.cloudflaressl.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US
     CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
   1 CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
     CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
## Verified Certificate Chain 0:
   0 CN=sni.cloudflaressl.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US
     CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
   1 CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
     CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
   2 CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
     CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
## TLS Connection Info:
   TLS version: TLS1.3
   CipherSuite: TLS_AES_128_GCM_SHA256
## End-Entity Certificate Info:
   X509 version: 3
   Serial#: 9dd3362c47ad13eb056ac52ba5c1557
   Subject: CN=sni.cloudflaressl.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US
   Issuer:  CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
   SAN dNSName: sni.cloudflaressl.com
   SAN dNSName: n2diving.net
   SAN dNSName: *.n2diving.net
   Signature Algorithm: ECDSA-SHA256
   PublicKey Algorithm: ECDSA 510-Bits
   Inception:  2021-06-15 00:00:00 +0000 UTC
   Expiration: 2022-06-14 23:59:59 +0000 UTC
   KU: DigitalSignature
   EKU: ServerAuth ClientAuth
   Is CA?: false
   SKI: 351a7b46ce2759b923f9a48fc86238ffa4b589ed
   AKI: a5ce37eaebb0750e946788b445fad9241087961f
   OSCP Servers: [http://ocsp.digicert.com]
   CA Issuer URL: [http://cacerts.digicert.com/CloudflareIncECCCA-3.crt]
   CRL Distribution: [http://crl3.digicert.com/CloudflareIncECCCA-3.crl http://crl4.digicert.com/CloudflareIncECCCA-3.crl]
   Policy OIDs: [2.23.140.1.2.2]
Result: DANE OK

## Checking www.n2diving.net 172.67.215.183 port 443
DANE TLSA 0 0 1 [3abbe63d..]: OK matched TA certificate at depth 1
## Peer Certificate Chain:
   0 CN=sni.cloudflaressl.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US
     CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
   1 CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
     CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
## Verified Certificate Chain 0:
   0 CN=sni.cloudflaressl.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US
     CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
   1 CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
     CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
   2 CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
     CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
## TLS Connection Info:
   TLS version: TLS1.3
   CipherSuite: TLS_AES_128_GCM_SHA256
## End-Entity Certificate Info:
   X509 version: 3
   Serial#: 9dd3362c47ad13eb056ac52ba5c1557
   Subject: CN=sni.cloudflaressl.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US
   Issuer:  CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
   SAN dNSName: sni.cloudflaressl.com
   SAN dNSName: n2diving.net
   SAN dNSName: *.n2diving.net
   Signature Algorithm: ECDSA-SHA256
   PublicKey Algorithm: ECDSA 510-Bits
   Inception:  2021-06-15 00:00:00 +0000 UTC
   Expiration: 2022-06-14 23:59:59 +0000 UTC
   KU: DigitalSignature
   EKU: ServerAuth ClientAuth
   Is CA?: false
   SKI: 351a7b46ce2759b923f9a48fc86238ffa4b589ed
   AKI: a5ce37eaebb0750e946788b445fad9241087961f
   OSCP Servers: [http://ocsp.digicert.com]
   CA Issuer URL: [http://cacerts.digicert.com/CloudflareIncECCCA-3.crt]
   CRL Distribution: [http://crl3.digicert.com/CloudflareIncECCCA-3.crl http://crl4.digicert.com/CloudflareIncECCCA-3.crl]
   Policy OIDs: [2.23.140.1.2.2]
Result: DANE OK

## Checking www.n2diving.net 104.21.75.64 port 443
DANE TLSA 0 0 1 [3abbe63d..]: OK matched TA certificate at depth 1
## Peer Certificate Chain:
   0 CN=sni.cloudflaressl.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US
     CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
   1 CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
     CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
## Verified Certificate Chain 0:
   0 CN=sni.cloudflaressl.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US
     CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
   1 CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
     CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
   2 CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
     CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
## TLS Connection Info:
   TLS version: TLS1.3
   CipherSuite: TLS_AES_128_GCM_SHA256
## End-Entity Certificate Info:
   X509 version: 3
   Serial#: 9dd3362c47ad13eb056ac52ba5c1557
   Subject: CN=sni.cloudflaressl.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US
   Issuer:  CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
   SAN dNSName: sni.cloudflaressl.com
   SAN dNSName: n2diving.net
   SAN dNSName: *.n2diving.net
   Signature Algorithm: ECDSA-SHA256
   PublicKey Algorithm: ECDSA 510-Bits
   Inception:  2021-06-15 00:00:00 +0000 UTC
   Expiration: 2022-06-14 23:59:59 +0000 UTC
   KU: DigitalSignature
   EKU: ServerAuth ClientAuth
   Is CA?: false
   SKI: 351a7b46ce2759b923f9a48fc86238ffa4b589ed
   AKI: a5ce37eaebb0750e946788b445fad9241087961f
   OSCP Servers: [http://ocsp.digicert.com]
   CA Issuer URL: [http://cacerts.digicert.com/CloudflareIncECCCA-3.crt]
   CRL Distribution: [http://crl3.digicert.com/CloudflareIncECCCA-3.crl http://crl4.digicert.com/CloudflareIncECCCA-3.crl]
   Policy OIDs: [2.23.140.1.2.2]
Result: DANE OK

[0] Authentication succeeded for all (4) peers.




Check another DANE service?


Other DANE Tools


References