cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Florian Lagg <info AT lagg.at>
- To: cacert-devel AT lists.cacert.org, tg AT futureware.at
- Cc: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>, Ian G <iang AT iang.org>
- Subject: Re: new SSL Attacks
- Date: Fri, 31 Jul 2009 15:34:35 +0100 (GMT+01:00)
Hi,
I was asked providing the cert file - here it is...
-----BEGIN CERTIFICATE-----
MIIEMjCCAhqgAwIBAgIDAIYOMA0GCSqGSIb3DQEBBQUAMFQxFDASBgNVBAoTC0NB
Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMDkwNzMxMTMyNzU2WhcNMTEwNzMx
MTMyNzU2WjAcMRowGAYDVQQDExFudWxsdGVzdG4ubGFnZy5hdDCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEA9D/qaxhD+b1PhsdWIXF//rcjo+8iVpxdRqEZqjjs
JJrddWuqCfA1Qbh0LVhYFv7ii8IDJtGNaQVV+dh6f3YQ+4FgasNFzYfs5wBJxkYo
xW3lMVwX2WDetk1WQNAjAixnZqSPkE2y6MWop3s0rLenLvOjO8Sjyc4NSR4eF5Gb
TR8CAwEAAaOByDCBxTAMBgNVHRMBAf8EAjAAMDQGA1UdJQQtMCsGCCsGAQUFBwMC
BggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3CgMDMAsGA1UdDwQEAwIFoDAz
BggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmNhY2VydC5v
cmcvMD0GA1UdEQQ2MDSCEW51bGx0ZXN0bi5sYWdnLmF0oB8GCCsGAQUFBwgFoBMM
EW51bGx0ZXN0bi5sYWdnLmF0MA0GCSqGSIb3DQEBBQUAA4ICAQAykpLWSrRgRvZg
uSOf3Zxp0H/h5QSjhZalNNr71aJkr+aIquM7gi6RZuDd1GugqA140Qeh0RpInmKw
esnngW9v3kXaNsbOZhGfAgjWbdk2Atw2KwVDdbHfDVjkoWUTbbyfRiplrOaE/QVr
pzKx4R1yuS4t70E7hxLoVw8xBdjaQ6vGhs2Xmgr+Q/sbY6OF5MrQgdIBKoFx/t+s
S+dZhEfHbZc0toOjMkyjBj10YiBx2TKbA/URDYO9ZELoCkw6MaFeOPtV6HIDbmly
ZGAykUle/rBQyO5OxhteDZ/uuh2IlffNRr9PvkJ5SVOIrdg5F21WLtVLiC/EiW7a
G9GuBQn1tm/RNJDdmj2by0T/Wyj36Uwc0s36W5G9VTbZPafDeKOZ2DTfB2IPskWg
ssH9EuRFj4TDnJIdPOk0F1JtIrQVERF9VodzkIWzsszeVPHxOrXVbfhnaUTAcIhh
RGhKgwpWeQ17LRL5OxoYVQpgGL4r8RNVEgMt8A7iLqk9DZ0sJr5Yvbt1Ca3nUejh
0UWizFUymrPV/R/X0WEeUo7ksZq+c5oqrCxB1t1osohwdrIZ5rSD1HoOT8AhJHXj
DotAqMV3TzB765ZW7Dj0QDF3xBP7MixW2ZqZS2IibhyKejBaxv6pEFueGoB8SNsz
2teumhEd9qg6VGkpSNkq3WR0CtYaJQ==
-----END CERTIFICATE-----
----- Ursprüngliche Mail -----
Von: "Florian Lagg"
<info AT lagg.at>
An:
cacert-devel AT lists.cacert.org
CC: "CAcert System Administrators"
<cacert-sysadm AT lists.cacert.org>,
"Ian G"
<iang AT iang.org>
Gesendet: Freitag, 31. Juli 2009 15:36:52 GMT +01:00
Amsterdam/Berlin/Bern/Rom/Stockholm/Wien
Betreff: Re: new SSL Attacks
Thanks Ian for your research.
I tested something:
* I tried to create a subdomain nulltest\0.lagg.at in my bind dns server.
This was not possible "Failed to create master zone : 'nulldomain\0.lagg.at.'
is not a valid domain name"
So I continued without this domain
* i tried to add nulltest\0.lagg.at in CAcert, I got to a screen asking me
for an mail address to check my rights on the domain:
The available addresses are:
root@nulltest\\\\0.lagg.at
hostmaster@nulltest\\\\0.lagg.at
postmaster@nulltest\\\\0.lagg.at
admin@nulltest\\\\0.lagg.at
webmaster@nulltest\\\\0.lagg.at
after choosing one I got: "Die Adresse die sie angegeben haben hat keine
Befugnis für diese Domain." (the address has no rights for this domain)
* so I got to Server Certificates:
I created a private key on the server:
$ openssl genrsa -out nulltest.key 1024
...
and a csr:
$ openssl req -new -key nulltest.key -out nulltest.csr
...
Common Name (eg, YOUR name) []:nulltest\n.lagg.at
...
------
I browsed the CAcert site to get my server certificate, uploaded the CSR and
GOT MY CERTIFICATE.
So - if I have done anything right - we should fix it in our source.
I see no reason to accept \0 (null-character) inside a domain name. We should
check our code if we do so (and edit it to forbid \0 in domain names in
future).
I also found this:
"With regard to the larger problem involving the null character, Marlinspike
said since there is no legitimate reason for a null character to be in a
domain name, it’s a mystery why Certificate Authorities accept them in a
name."
Source: http://www.wired.com/threatlevel/2009/07/kaminsky/
Which just tells the same as I do above (no reason for \0 in domain name).
After that we could check if we have any subdomains registered in our system
with a \0 char in it and revoke them in an arbitration. If there are any -
these could be bad guys.
Hope I could help with these tests. I deleted my issued certificate in the
web gui.
regards,
--
Florian Lagg
-
Florian Lagg - IT-Komplettlösungen
Juch 7, 6631 Lermoos
tel +43 (676) 344 677 5
http:/www.lagg.at/ -
info AT lagg.at
-
Xing: http://www.xing.com/go/invite/7372113.3da562
-
- Re: new SSL Attacks, Ian G, 07/30/2009
- Re: new SSL Attacks, Ian G, 07/30/2009
- Re: new SSL Attacks, Ian G, 07/31/2009
- <Possible follow-up(s)>
- Re: new SSL Attacks, Florian Lagg, 07/31/2009
- Re: new SSL Attacks, Florian Lagg, 07/31/2009
- Re: new SSL Attacks, Florian Lagg, 07/31/2009
- Re: new SSL Attacks, Kim Holburn, 07/31/2009
- Re: new SSL Attacks, Ian G, 07/30/2009
Archive powered by MHonArc 2.6.16.