cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Florian Lagg <info AT lagg.at>
- To: tg AT futureware.at
- Cc: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>, Ian G <iang AT iang.org>
- Subject: Re: new SSL Attacks
- Date: Fri, 31 Jul 2009 17:15:47 +0100 (GMT+01:00)
I just was in a chat with Philipp and Ian.
it seems that "\0" is converted to "0" and therefore is a valid subdomain
without nullchar (thanks philipp).
I wanted to test it with a real null-char in the csr - not a quoted one.
Maybe someone could check the CSR and Certificate if the null char is there.
Currently I do not have an idea how I could do that.
OK, what I did so far:
*** I tried to make an CSR with:
# the private one
openssl genrsa -out nulltest.key 1024
#the csr
openssl req -batch -new -key nulltest.key -out nulltest.csr -subj
"/C=AT/O=Lagg/OU=Lagg/CN=`echo -e "nulltest\0000.lagg.at"`"
as
echo -e "\0000"
outputs an null char this should work. I haven't checked it.
The resulting CSR is:
-----BEGIN CERTIFICATE REQUEST-----
MIIBhTCB7wIBADBGMQswCQYDVQQGEwJBVDENMAsGA1UEChMETGFnZzENMAsGA1UE
CxMETGFnZzEZMBcGA1UEAxMQbnVsbHRlc3QubGFnZy5hdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEA9D/qaxhD+b1PhsdWIXF//rcjo+8iVpxdRqEZqjjsJJrd
dWuqCfA1Qbh0LVhYFv7ii8IDJtGNaQVV+dh6f3YQ+4FgasNFzYfs5wBJxkYoxW3l
MVwX2WDetk1WQNAjAixnZqSPkE2y6MWop3s0rLenLvOjO8Sjyc4NSR4eF5GbTR8C
AwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBADrioczWzRUN/LrR1ROXq1k6M0I6uYar
tTfX4QPUBxGVNlVWAQECUsglYy/kDvOzD44pyYB5NrW/0bUnoTIJkuHDT6V6yn4t
5YBK+cz6gr/6yZbrFEQIBhbg9GXKLBlnPOwJLHVSAqihr1WhVIc5jAaIuWnjsZT0
Gyt0c0PnCxtg
-----END CERTIFICATE REQUEST-----
*** then I uploaded the CSR to our webform to get a server certificate, this
one...
-----BEGIN CERTIFICATE-----
MIIELzCCAhegAwIBAgIDAIYWMA0GCSqGSIb3DQEBBQUAMFQxFDASBgNVBAoTC0NB
Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMDkwNzMxMTU0NzM4WhcNMTEwNzMx
MTU0NzM4WjAbMRkwFwYDVQQDExBudWxsdGVzdC5sYWdnLmF0MIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQD0P+prGEP5vU+Gx1YhcX/+tyOj7yJWnF1GoRmqOOwk
mt11a6oJ8DVBuHQtWFgW/uKLwgMm0Y1pBVX52Hp/dhD7gWBqw0XNh+znAEnGRijF
beUxXBfZYN62TVZA0CMCLGdmpI+QTbLoxainezSst6cu86M7xKPJzg1JHh4XkZtN
HwIDAQABo4HGMIHDMAwGA1UdEwEB/wQCMAAwNAYDVR0lBC0wKwYIKwYBBQUHAwIG
CCsGAQUFBwMBBglghkgBhvhCBAEGCisGAQQBgjcKAwMwCwYDVR0PBAQDAgWgMDMG
CCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2FjZXJ0Lm9y
Zy8wOwYDVR0RBDQwMoIQbnVsbHRlc3QubGFnZy5hdKAeBggrBgEFBQcIBaASDBBu
dWxsdGVzdC5sYWdnLmF0MA0GCSqGSIb3DQEBBQUAA4ICAQBDxNgRVIyocB+B7CCE
D058ZNnk2z2zJJed3ZzwtNa6Tv0YAOATH5CGAWbRrQikBBv0EsmHyfim8XXYneHP
26LWQ5/I/VHMpgMyRpLBNkOz4QIyDnyKhVY++/rckviYcQv9nDsEvMIiiH7eWbaP
z6h7a5PoZj7glTf9LvPZUlgAwzHYBUl+K6EpOhEIZPokhcGZafVEPJZBBTPrwjbX
KJjGK4ErzFwYeEh+aH5tsSyCiF/MDwhgVyAKCmRdZ4wf5miJTTJ6fOCOgduXJxU4
sa8bysyJ9oVfqHFIdeKGN5x0ySQpwhNFnHbrI/NXdp+5pz0al1WCUTYrRly8lgjg
Kedg1sVCu8eFzZHB0oKqm0+CmmERqr19bPtB/hBPTrEofTAmktW53Jx7i3DA1tlS
pLI2B82zVH0epdh5x0P8GQj7uyzX9Hug+vlVfKe9RteXACBClvvzOSZkl2KY+s+J
5MBNdzg/0H2vCDBf+px4gAJEM+lDXyvC484w3LBVcblDS2RhIg+N/PY5qRzIk/pL
3tv4iMo/Bu0TfZYzMWc4OqNO4vtTISt945pRtrYxX3NEaM/8dGAlcmBL4Whkb16X
6gcTjrNU9OVKav1ZKQDk93zb4jkKMyMgzNiCfmwngzo0kRl/ZH/oEB7ftKsak3ii
UCH2zy9lHaa/KJjUVQfTR1WAlQ==
-----END CERTIFICATE-----
Could someone check them if there is a NULL-char in the domain name?
If it all worked it should be nulltest\0.lagg.at (with a real null char)
regards,
--
Florian Lagg
-
Florian Lagg - IT-Komplettlösungen
Juch 7, 6631 Lermoos
tel +43 (676) 344 677 5
http:/www.lagg.at/ -
info AT lagg.at
-
Xing: http://www.xing.com/go/invite/7372113.3da562
-
- Re: new SSL Attacks, Ian G, 07/30/2009
- Re: new SSL Attacks, Ian G, 07/30/2009
- Re: new SSL Attacks, Ian G, 07/31/2009
- <Possible follow-up(s)>
- Re: new SSL Attacks, Florian Lagg, 07/31/2009
- Re: new SSL Attacks, Florian Lagg, 07/31/2009
- Re: new SSL Attacks, Florian Lagg, 07/31/2009
- Re: new SSL Attacks, Kim Holburn, 07/31/2009
- Re: new SSL Attacks, Ian G, 07/30/2009
Archive powered by MHonArc 2.6.16.