Check a DANE TLS Service

This application checks a DANE TLS Service. It connects to the specified TLS service and then attempts to authenticate its TLS server certificate according to its corresponding DANE TLSA records in the DNS.

Port: 5223
Domain name: xmpp.eco.br
Name Check for DANE-EE: on

DANE Authentication Failed.


Checking Transcript: 

Host: xmpp.eco.br Port: 5223
SNI: xmpp.eco.br
DNS TLSA RRset:
  qname: _5223._tcp.xmpp.eco.br.
  3 1 1 7f6443180ba81570d8be42016c3a9a06371939306b0c95bc7c0b6dd4b8d3dc9c
IP Addresses found:
  2a02:c206:2213:944::1
  37.60.248.136

## Checking xmpp.eco.br 2a02:c206:2213:944::1 port 5223
DANE TLSA 3 1 1 [7f644318..]: FAIL did not match EE certificate
## Peer Certificate Chain:
   0 CN=xmpp.eco.br
     CN=E6,O=Let's Encrypt,C=US
   1 CN=E6,O=Let's Encrypt,C=US
     CN=ISRG Root X1,O=Internet Security Research Group,C=US
## PKIX Certificate Chain 0:
   0 CN=xmpp.eco.br
     CN=E6,O=Let's Encrypt,C=US
   1 CN=E6,O=Let's Encrypt,C=US
     CN=ISRG Root X1,O=Internet Security Research Group,C=US
   2 CN=ISRG Root X1,O=Internet Security Research Group,C=US
     CN=ISRG Root X1,O=Internet Security Research Group,C=US
## DANE Certificate Chain 0:
   0 CN=xmpp.eco.br
     CN=E6,O=Let's Encrypt,C=US
   1 CN=E6,O=Let's Encrypt,C=US
     CN=ISRG Root X1,O=Internet Security Research Group,C=US
## TLS Connection Info:
   TLS version: 1.3
   CipherSuite: TLS_AES_256_GCM_SHA384
## End-Entity Certificate Info:
   X509 version: 3
   Serial#: 372fe3a4e2adb8497432f5b01e4c8ae5fe8
   Subject: CN=xmpp.eco.br
   Issuer:  CN=E6,O=Let's Encrypt,C=US
   SAN dNSName: xmpp.eco.br
   Signature Algorithm: ECDSA-SHA384
   PublicKey Algorithm: ECDSA 509-Bits
   Inception:  2025-02-08 08:00:31 +0000 UTC
   Expiration: 2025-05-09 08:00:30 +0000 UTC
   KU: DigitalSignature
   EKU: ServerAuth ClientAuth
   Is CA?: false
   SKI: 5bda12136ff66696269ea46ff856a2bb19a92c85
   AKI: 9327469803a951688e98d6c44248db23bf5894d2
   OSCP Servers: [http://e6.o.lencr.org]
   CA Issuer URL: [http://e6.i.lencr.org/]
   CRL Distribution: []
   Policy OIDs: [2.23.140.1.2.1]
Result: FAILED: DANE TLS authentication failed

## Checking xmpp.eco.br 37.60.248.136 port 5223
DANE TLSA 3 1 1 [7f644318..]: FAIL did not match EE certificate
## Peer Certificate Chain:
   0 CN=xmpp.eco.br
     CN=E6,O=Let's Encrypt,C=US
   1 CN=E6,O=Let's Encrypt,C=US
     CN=ISRG Root X1,O=Internet Security Research Group,C=US
## PKIX Certificate Chain 0:
   0 CN=xmpp.eco.br
     CN=E6,O=Let's Encrypt,C=US
   1 CN=E6,O=Let's Encrypt,C=US
     CN=ISRG Root X1,O=Internet Security Research Group,C=US
   2 CN=ISRG Root X1,O=Internet Security Research Group,C=US
     CN=ISRG Root X1,O=Internet Security Research Group,C=US
## DANE Certificate Chain 0:
   0 CN=xmpp.eco.br
     CN=E6,O=Let's Encrypt,C=US
   1 CN=E6,O=Let's Encrypt,C=US
     CN=ISRG Root X1,O=Internet Security Research Group,C=US
## TLS Connection Info:
   TLS version: 1.3
   CipherSuite: TLS_AES_256_GCM_SHA384
## End-Entity Certificate Info:
   X509 version: 3
   Serial#: 372fe3a4e2adb8497432f5b01e4c8ae5fe8
   Subject: CN=xmpp.eco.br
   Issuer:  CN=E6,O=Let's Encrypt,C=US
   SAN dNSName: xmpp.eco.br
   Signature Algorithm: ECDSA-SHA384
   PublicKey Algorithm: ECDSA 509-Bits
   Inception:  2025-02-08 08:00:31 +0000 UTC
   Expiration: 2025-05-09 08:00:30 +0000 UTC
   KU: DigitalSignature
   EKU: ServerAuth ClientAuth
   Is CA?: false
   SKI: 5bda12136ff66696269ea46ff856a2bb19a92c85
   AKI: 9327469803a951688e98d6c44248db23bf5894d2
   OSCP Servers: [http://e6.o.lencr.org]
   CA Issuer URL: [http://e6.i.lencr.org/]
   CRL Distribution: []
   Policy OIDs: [2.23.140.1.2.1]
Result: FAILED: DANE TLS authentication failed

[2] Authentication failed for all (2) peers.



Check another DANE service?

Other DANE Tools

References