{"id":21464230,"url":"https://github.com/shuque/gotls","last_synced_at":"2025-07-15T03:32:41.819Z","repository":{"id":64302166,"uuid":"264508509","full_name":"shuque/gotls","owner":"shuque","description":"Diagnostic tool to perform DANE \u0026 PKIX authentication of a TLS server","archived":false,"fork":false,"pushed_at":"2023-07-06T03:51:13.000Z","size":57,"stargazers_count":8,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-06-20T08:59:44.320Z","etag":null,"topics":["authentication","certificate","dane","diagnostic","pkix","tls"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/shuque.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-05-16T19:11:25.000Z","updated_at":"2024-04-18T10:01:04.000Z","dependencies_parsed_at":"2024-06-20T08:22:38.244Z","dependency_job_id":null,"html_url":"https://github.com/shuque/gotls","commit_stats":null,"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuque%2Fgotls","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuque%2Fgotls/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuque%2Fgotls/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuque%2Fgotls/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/shuque","download_url":"https://codeload.github.com/shuque/gotls/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":226017327,"owners_count":17560465,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","certificate","dane","diagnostic","pkix","tls"],"created_at":"2024-11-23T07:30:25.308Z","updated_at":"2024-11-23T07:30:26.077Z","avatar_url":"https://github.com/shuque.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# gotls\n\ngotls is a TLS server diagnostic tool that understands DANE and PKIX\nauthentication. It connects to a TLS server, performs DANE and/or PKIX\nauthentication of the server certificate chain, and then optionally\nprints out information about the TLS connection and the certificate.\n\n\n### Pre-requisites\n\n* Go\n* Go dane package: https://github.com/shuque/dane\n* Go dns package: https://github.com/miekg/dns\n\n\nDANE authentication requires the use of a validating DNS resolver,\nthat sets the AD bit on authenticated responses. By default, this\nprogram uses the resolvers listed in /etc/resolv.conf, but\nan alternate resolver address and port can be specified with the\n-r and -rp command line options. If no secure DANE TLSA records\nare found, or if the resolver doesn't validate, the program will\nfallback to normal PKIX authentication. The \"-m dane\" switch can\nbe used to prevent this fallback and force DANE authentication.\n\nSTARTLS is supported for SMTP, POP3, IMAP, and XMPP via the\n\"-s appname\" option. If the STARTTLS application service expects\na service name different than the server hostname, this can be\nspecified with the \"-n name\" option. Per current spec, this\nprogram does not perform certificate hostname checks for DANE-EE\nmode TLSA records, but this can overridden with the \"-dane-ee-name\"\noption. For SMTP STARTTLS the program ignores PKIX-* mode TLSA\nrecords, unless the \"-smtp-any-mode\" option is specified.\n\nThere are several other command line options, which are listed in\nthe Usage section below.\n\n\n### Limitations\n\ngotls does not do certificate revocation checks (CRL, OCSP, or\nstapled OCSP responses). A future version might support checking\nstapled OCSP responses.\n\n\n### Building\n\nJust run 'go build'. This will generate the executable 'gotls'.\n\n### Usage:\n\n```\ngotls, version 0.3.3 (built with go dane v0.2.3)\nUsage: gotls [Options] \u003chost\u003e [\u003cport\u003e]\n\n        If port is omitted, the default port 443 is used. If hostname is an\n        IP address string, then a name must be specified via the SNI option.\n\n        Options:\n        -h               Print this help string\n        -d               Debug mode - print additional info\n        -m mode          Mode: \"dane\" or \"pkix\"\n        -cafile FILE     PKIX Root CA file in PEM format\n        -sni name        Specify SNI name to send and verify\n        -s starttls      STARTTLS application (smtp, imap, pop3)\n        -n name          Service name (if different from hostname)\n        -version VER     TLS version to use (e.g. \"1.3\")\n        -4               Use IPv4 transport only\n        -6               Use IPv6 transport only\n        -r ip            DNS Resolver IP address\n        -rp port         DNS Resolver port (default 53)\n        -t N             DNS query timeout value in seconds (default 3)\n        -dane-ee-name    Do hostname check even for DANE-EE mode\n        -smtp-any-mode   Allow STARTTLS SMTP for any DANE usage mode\n        -noverify        Don't perform server certificate verification\n        -printchain      Print details of full certificate chain\n```\n\n### Exit codes:\n\nThe program exits with the following codes:\n\n* 0 - Authentication succeeded for all peers.\n* 1 - Authentication succeeded for some but not all peers\n* 2 - Authentication failed for all peers\n* 3 - Some other error (incorrect command line arguments, etc)\n* 4 - Server authentication was not performed. (-noverify option)\n\n\n### Example runs:\n\nCheck the HTTPS (port 443) TLS service at www.huque.com.\n\n```\n$ gotls www.huque.com\n\n## Checking www.huque.com. 2600:3c03:e000:81::a port 443\nResult: DANE OK\n\n## Checking www.huque.com. 50.116.63.23 port 443\nResult: DANE OK\n\n[0] Authentication succeeded for all (2) peers.\n```\n\nCheck the HTTPS service at amazon.com. Here, no DANE TLSA records\nare found (in fact the zone is unsigned, so we get an unauthenticated\nresponse for the TLSA query, thus negating the possibility of DANE).\nSo, the program prints a warning and falls back to traditional PKIX\nauthentication:\n\n```\n$ gotls www.amazon.com\n\nNo DANE TLSA records found.\n\n## Checking www.amazon.com. 99.84.117.249 port 443\nResult: PKIX OK\n\n[0] Authentication succeeded for all (1) peers.\n```\n\nForcing DANE authentication for the previous service with the\n\"-m dane\" switch produces an authentication failure result:\n\n```\n$ gotls -m dane www.amazon.com\n\nNo DANE TLSA records found.\n```\n\nUsing the -d (debug) switch displays a great deal of additional\ndiagnostic information, including the actual DANE TLSA records,\noffered and verified certificate chains, DANE record processing\nresults, and verbose details of the server certificate. (Verbose\ndetails of the entire certificate chain can be obtained via the\n-printchain option):\n\n\n```\n$ gotls -d www.huque.com\n\nHost: www.huque.com Port: 443\nSNI: www.huque.com\nDNS TLSA RRset:\n  qname: _443._tcp.www.huque.com.\n  3 1 1 6c85cc093c31221cbff9e61cff5e9ca14bfeb0f9bbc341a7695290275d813cf4\n  3 1 1 de4369cf0866a1e7626d73db36dbfc4b74097c3c70489a2d3351b6e75e99583a\nIP Addresses found:\n  2600:3c03:e000:81::a\n  50.116.63.23\n\n## Checking www.huque.com 2600:3c03:e000:81::a port 443\nDANE TLSA 3 1 1 [6c85cc09..]: OK matched EE certificate\nDANE TLSA 3 1 1 [de4369cf..]: FAIL did not match EE certificate\n## Peer Certificate Chain:\n   0 CN=www.huque.com\n     CN=R3,O=Let's Encrypt,C=US\n   1 CN=R3,O=Let's Encrypt,C=US\n     CN=ISRG Root X1,O=Internet Security Research Group,C=US\n   2 CN=ISRG Root X1,O=Internet Security Research Group,C=US\n     CN=DST Root CA X3,O=Digital Signature Trust Co.\n## PKIX Certificate Chain 0:\n   0 CN=www.huque.com\n     CN=R3,O=Let's Encrypt,C=US\n   1 CN=R3,O=Let's Encrypt,C=US\n     CN=ISRG Root X1,O=Internet Security Research Group,C=US\n   2 CN=ISRG Root X1,O=Internet Security Research Group,C=US\n     CN=ISRG Root X1,O=Internet Security Research Group,C=US\n## DANE Certificate Chain 0:\n   0 CN=www.huque.com\n     CN=R3,O=Let's Encrypt,C=US\n   1 CN=R3,O=Let's Encrypt,C=US\n     CN=ISRG Root X1,O=Internet Security Research Group,C=US\n   2 CN=ISRG Root X1,O=Internet Security Research Group,C=US\n     CN=DST Root CA X3,O=Digital Signature Trust Co.\n## TLS Connection Info:\n   TLS version: TLS1.3\n   CipherSuite: TLS_AES_128_GCM_SHA256\n## End-Entity Certificate Info:\n   X509 version: 3\n   Serial#: 32b409bacd77855987674821c95f997dc2b\n   Subject: CN=www.huque.com\n   Issuer:  CN=R3,O=Let's Encrypt,C=US\n   SAN dNSName: www.huque.com\n   Signature Algorithm: SHA256-RSA\n   PublicKey Algorithm: RSA 2048-Bits\n   Inception:  2022-02-18 18:09:53 +0000 UTC\n   Expiration: 2022-05-19 18:09:52 +0000 UTC\n   KU: DigitalSignature KeyEncipherment\n   EKU: ServerAuth ClientAuth\n   Is CA?: false\n   SKI: e2fc45cf4127bb62abead6bf3c74a31bc068f1c2\n   AKI: 142eb317b75856cbae500940e61faf9d8b14c2c6\n   OSCP Servers: [http://r3.o.lencr.org]\n   CA Issuer URL: [http://r3.i.lencr.org/]\n   CRL Distribution: []\n   Policy OIDs: [2.23.140.1.2.1 1.3.6.1.4.1.44947.1.1.1]\nResult: DANE OK\n\n## Checking www.huque.com 50.116.63.23 port 443\nDANE TLSA 3 1 1 [6c85cc09..]: OK matched EE certificate\nDANE TLSA 3 1 1 [de4369cf..]: FAIL did not match EE certificate\n## Peer Certificate Chain:\n   0 CN=www.huque.com\n     CN=R3,O=Let's Encrypt,C=US\n   1 CN=R3,O=Let's Encrypt,C=US\n     CN=ISRG Root X1,O=Internet Security Research Group,C=US\n   2 CN=ISRG Root X1,O=Internet Security Research Group,C=US\n     CN=DST Root CA X3,O=Digital Signature Trust Co.\n## PKIX Certificate Chain 0:\n   0 CN=www.huque.com\n     CN=R3,O=Let's Encrypt,C=US\n   1 CN=R3,O=Let's Encrypt,C=US\n     CN=ISRG Root X1,O=Internet Security Research Group,C=US\n   2 CN=ISRG Root X1,O=Internet Security Research Group,C=US\n     CN=ISRG Root X1,O=Internet Security Research Group,C=US\n## DANE Certificate Chain 0:\n   0 CN=www.huque.com\n     CN=R3,O=Let's Encrypt,C=US\n   1 CN=R3,O=Let's Encrypt,C=US\n     CN=ISRG Root X1,O=Internet Security Research Group,C=US\n   2 CN=ISRG Root X1,O=Internet Security Research Group,C=US\n     CN=DST Root CA X3,O=Digital Signature Trust Co.\n## TLS Connection Info:\n   TLS version: TLS1.3\n   CipherSuite: TLS_AES_128_GCM_SHA256\n## End-Entity Certificate Info:\n   X509 version: 3\n   Serial#: 32b409bacd77855987674821c95f997dc2b\n   Subject: CN=www.huque.com\n   Issuer:  CN=R3,O=Let's Encrypt,C=US\n   SAN dNSName: www.huque.com\n   Signature Algorithm: SHA256-RSA\n   PublicKey Algorithm: RSA 2048-Bits\n   Inception:  2022-02-18 18:09:53 +0000 UTC\n   Expiration: 2022-05-19 18:09:52 +0000 UTC\n   KU: KeyEncipherment DigitalSignature\n   EKU: ServerAuth ClientAuth\n   Is CA?: false\n   SKI: e2fc45cf4127bb62abead6bf3c74a31bc068f1c2\n   AKI: 142eb317b75856cbae500940e61faf9d8b14c2c6\n   OSCP Servers: [http://r3.o.lencr.org]\n   CA Issuer URL: [http://r3.i.lencr.org/]\n   CRL Distribution: []\n   Policy OIDs: [2.23.140.1.2.1 1.3.6.1.4.1.44947.1.1.1]\nResult: DANE OK\n\n[0] Authentication succeeded for all (2) peers.\n```\n\nThe program understands a number of application services that use\nSTARTTLS negotiation: SMTP, POP3, IMAP, XMPP-CLIENT and XMPP-SERVER.\nUsing the \"-s appname\" option will use this mode.\n\nBelow, we check only the IPv6 (-6) SMTP STARTTLS (-s smtp) service at\nmta.openssl.org port 25:\n\n```\n$ gotls -d -6 -s smtp mta.openssl.org 25\n\nHost: mta.openssl.org Port: 25\nSNI: mta.openssl.org\nSTARTTLS application: smtp\nDNS TLSA RRset:\n  qname: _25._tcp.mta.openssl.org.\n  3 1 1 6cf12d78fbf242909d01b96ab5590812954058dc32f8415f048fff064291921e\nIP Addresses found:\n  2001:608:c00:180::1:e6\n\n## Checking mta.openssl.org 2001:608:c00:180::1:e6 port 25\nDANE TLSA 3 1 1 [6cf12d78..]: OK matched EE certificate\n## STARTTLS Transcript:\nrecv: 220-mta.openssl.org ESMTP Postfix\nrecv: 220 mta.openssl.org ESMTP Postfix\nsend: EHLO cheetara.huque.com\nrecv: 250-mta.openssl.org\nrecv: 250-PIPELINING\nrecv: 250-SIZE 36700160\nrecv: 250-VRFY\nrecv: 250-ETRN\nrecv: 250-STARTTLS\nrecv: 250-ENHANCEDSTATUSCODES\nrecv: 250-8BITMIME\nrecv: 250-DSN\nrecv: 250 CHUNKING\nsend: STARTTLS\nrecv: 220 2.0.0 Ready to start TLS\n## Peer Certificate Chain:\n   0 CN=mta.openssl.org\n     CN=R3,O=Let's Encrypt,C=US\n   1 CN=R3,O=Let's Encrypt,C=US\n     CN=ISRG Root X1,O=Internet Security Research Group,C=US\n   2 CN=ISRG Root X1,O=Internet Security Research Group,C=US\n     CN=DST Root CA X3,O=Digital Signature Trust Co.\n## PKIX Certificate Chain 0:\n   0 CN=mta.openssl.org\n     CN=R3,O=Let's Encrypt,C=US\n   1 CN=R3,O=Let's Encrypt,C=US\n     CN=ISRG Root X1,O=Internet Security Research Group,C=US\n   2 CN=ISRG Root X1,O=Internet Security Research Group,C=US\n     CN=ISRG Root X1,O=Internet Security Research Group,C=US\n## DANE Certificate Chain 0:\n   0 CN=mta.openssl.org\n     CN=R3,O=Let's Encrypt,C=US\n   1 CN=R3,O=Let's Encrypt,C=US\n     CN=ISRG Root X1,O=Internet Security Research Group,C=US\n   2 CN=ISRG Root X1,O=Internet Security Research Group,C=US\n     CN=DST Root CA X3,O=Digital Signature Trust Co.\n## TLS Connection Info:\n   TLS version: TLS1.3\n   CipherSuite: TLS_AES_128_GCM_SHA256\n## End-Entity Certificate Info:\n   X509 version: 3\n   Serial#: 368362cd51ed35691bafe9deb7d0e0b46cf\n   Subject: CN=mta.openssl.org\n   Issuer:  CN=R3,O=Let's Encrypt,C=US\n   SAN dNSName: mta.openssl.org\n   Signature Algorithm: SHA256-RSA\n   PublicKey Algorithm: RSA 4096-Bits\n   Inception:  2022-02-02 11:00:05 +0000 UTC\n   Expiration: 2022-05-03 11:00:04 +0000 UTC\n   KU: DigitalSignature KeyEncipherment\n   EKU: ServerAuth ClientAuth\n   Is CA?: false\n   SKI: e27f74ac4c9b0c6694d6af580f005d7f34e0e80c\n   AKI: 142eb317b75856cbae500940e61faf9d8b14c2c6\n   OSCP Servers: [http://r3.o.lencr.org]\n   CA Issuer URL: [http://r3.i.lencr.org/]\n   CRL Distribution: []\n   Policy OIDs: [2.23.140.1.2.1 1.3.6.1.4.1.44947.1.1.1]\nResult: DANE OK\n\n[0] Authentication succeeded for all (1) peers.\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshuque%2Fgotls","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshuque%2Fgotls","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshuque%2Fgotls/lists"}