Encaya enables AIA-compatible TLS clients (e.g. CryptoAPI, Chromium, and Safari) to accept certificates specified by a safe subset of DANE (e.g. for Namecoin).
Prerequisites:
-
Ensure you have the Go tools installed.
-
If using Linux, ensure you have the
libcap
development headers installed. (Most distributions will have a package calledlibcap-dev
or similar.)
Option A: Using Go build commands without Go modules (works on any platform with Bash; only Go 1.15-1.16.x; will not work on Go 1.17+):
-
Ensure you have the
GOPATH
environment variable set. (For those not familar with Go, setting it to the path to an empty directory will suffice. The directory will be filled with build files.) -
Run
export GO111MODULE=off
to disable Go modules. -
Run
go get -d -t -u github.com/namecoin/encaya/...
. The encaya source code will be retrieved automatically. -
Run
go get -t -u github.com/namecoin/encaya/...
. encaya will be built. The binaries will be at$GOPATH/bin/encaya
.
Option B: Using Go build commands with Go modules (works on any platform with Bash; Go 1.15+:
-
Clone encaya.
-
Run the following in the encaya directory to set up Go modules:
go mod init github.com/namecoin/encaya go mod edit -replace github.com/coreos/go-systemd=github.com/coreos/go-systemd/v22@latest go mod tidy
-
Run
go install ./...
. encaya will be built. The binaries will be at$GOPATH/bin/encaya
.
Option C: Using Makefile (non-Windows platforms):
- Run
make
. The source repository will be retrieved viago get
automatically.
Encaya can be run as a Windows service; see the output of encaya --help
.
Encaya uses a configuration file which is looked for at ../etc/encaya.conf
(relative to the executable path) and /etc/encaya/encaya.conf
. You can override
this and all options on the command line.
There are 3 machines involved in setup:
- DNS server.
- Must have a trusted network path to a Namecoin client such as Namecoin Core.
- Encaya server.
- Must have a trusted network path to the DNS server.
- Client.
- No trusted network path is necessary, but any eavesdropper on the network path to the Encaya server will be able to see which Namecoin domain names you connect to (since AIA traffic is unencrypted).
In many cases, all 3 machines will be the same machine. However, this is not a requirement. For example, you might configure a mobile client to use servers that you set up on a desktop. In fact, if the client is a TiVoized device such as an iOS device, you must set up the servers on a different machine, since TiVoized devices cannot install Encaya or ncdns.
Once you've decided which machine will play which role, follow these steps:
- Install ncdns on the DNS server machine.
- Configure
ncdns.conf
on the DNS server machine to point to the Encaya server machine for AIA. The configured IP must be valid from the client machine's network perspective. - Start ncdns as a service on the DNS server machine.
- Configure
encaya.conf
on the Encaya server machine to use ncdns's IP and port for DNS. - On the Encaya server machine, run
encayagen
to generate the Encaya root CA. - Start Encaya as a service on the Encaya server machine.
- Copy
encaya.pem
to the client machine. (If the client machine has a trusted network path to the Encaya server machine, you can download the certificate on the client machine by connecting to port 80 on the Encaya server machine in a web browser. Otherwise, manually copy the file.) - Install
encaya.pem
on the client machine as a trusted root CA. Setting EKU (TLS server authentication only) and name constraints (bit
only) is recommended, e.g. via certinject. - Configure the client machine to use ncdns's IP and port as a stub zone for
bit.
.
See Jeremy Rand's talk at the Grayhat 2020 Monero Village.
Encaya does not protect you from MITM attacks by public CA's that are trusted by your TLS client. You need another tool, such as certinject, for that.
Copyright (C) 2018-2022 Namecoin Developers.
Encaya is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
Encaya is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with Encaya. If not, see https://www.gnu.org/licenses/.