Skip to content

Instantly share code, notes, and snippets.

@normoes
Last active August 21, 2024 04:33
Show Gist options
  • Save normoes/78a33a35d38a17e589201d7e1c3761c9 to your computer and use it in GitHub Desktop.
Save normoes/78a33a35d38a17e589201d7e1c3761c9 to your computer and use it in GitHub Desktop.
getting tls pubkey value for DNS over TLS certificates

Getting the tls pubkey for a DNS over TLS address

I added cloudflare-dns.com to my stubby.yml and couldn't find any information on the value of the tls_pubkey_pinset

tls_pubkey_pinset:
  - digest: "sha256"
    value: MISSING

Although I could find some examples, the value seemed to be wrong.

This issue helped me a lot eventually (specifically t5k6's comment on Apr 2, 2018).

It pointed me to the following command:

echo | openssl s_client -connect '1.0.0.1:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

It returns exactly the value I was searching for.

As of writing this, the following configuration can be applied:

# The cloudflare
  - address_data: 1.1.1.1
    tls_port: 853
    tls_auth_name: "cloudflare-dns.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment