# notes from poking DANE and TLSA stuff

(thank you to tomasino for having cosmic.voyage use TLSA records)

brandname openssl has some TLSA support

```
openssl s_client -connect cosmic.voyage:1965 -dane_tlsa_domain cosmic.voyage -dane_tlsa_rrdata "$(dig +short -t TLSA _1965._tcp.cosmic.voyage)"
```

there's a python script that will verify tlsa records for you.
lot easier to use than the other two
because it does its own DNS lookups.
=> https://github.com/letoams/hash-slinger
=> https://packages.debian.org/hash-slinger

```
tlsa --verify --port 1965 cosmic.voyage
```

there's another little tool that can do tlsa checking, this time in C.

=> https://github.com/vdukhovni/ssl_dane

## grab the cert...
```
echo | openssl s_client -connect cosmic.voyage:1965 | openssl x509 -out cosmic.cert
```

## I don't know what I'm doing. :D
```
LD_LIBRARY_PATH=. ./connected 3 1 sha256 cosmic.cert cosmic.cert 1965 cosmic.voyage
```

I'm not sure why this "works", but it is probably wrong. it isn't using the value from the TLSA record
at all, just two copies of the cert.