Skip to Content.
Sympa Menu

cacert-sysadm - Re: new SSL Attacks

cacert-sysadm AT lists.cacert.org

Subject: CAcert System Admins discussion list

List archive

Re: new SSL Attacks


Chronological Thread 
  • From: Kim Holburn <kim AT holburn.net>
  • To: cacert-sysadm AT lists.cacert.org
  • Cc: Florian Lagg <info AT lagg.at>
  • Subject: Re: new SSL Attacks
  • Date: Fri, 31 Jul 2009 21:04:58 +0200
I don't see a null char in there.

$ openssl x509 -text -in /tmp/cert2|grep nulltest
        Subject: CN=nulltest.lagg.at
                DNS:nulltest.lagg.at, othername:<unsupported>
$ openssl x509 -text -in /tmp/cert2|grep nulltest|od -c
0000000                                    S   u   b   j   e   c   t   :
0000020        C   N   =   n   u   l   l   t   e   s   t   .   l   a   g
0000040    g   .   a   t  \n
0000060                        D   N   S   :   n   u   l   l   t   e   s
0000100    t   .   l   a   g   g   .   a   t   ,       o   t   h   e   r
0000120    n   a   m   e   :   <   u   n   s   u   p   p   o   r   t   e
0000140    d   >  \n
0000143
$



On 2009/Jul/31, at 6:15 PM, Florian Lagg wrote:

I just was in a chat with Philipp and Ian.

it seems that "\0" is converted to "0" and therefore is a valid subdomain without nullchar (thanks philipp).

I wanted to test it with a real null-char in the csr - not a quoted one.
Maybe someone could check the CSR and Certificate if the null char is there.
Currently I do not have an idea how I could do that.

OK, what I did so far:

*** I tried to make an CSR with:
# the private one
openssl genrsa -out nulltest.key 1024
#the csr
openssl req -batch -new -key nulltest.key -out nulltest.csr -subj "/ C=AT/O=Lagg/OU=Lagg/CN=`echo -e "nulltest\0000.lagg.at"`"

as
echo -e "\0000"
outputs an null char this should work. I haven't checked it.
The resulting CSR is:

-----BEGIN CERTIFICATE REQUEST-----
MIIBhTCB7wIBADBGMQswCQYDVQQGEwJBVDENMAsGA1UEChMETGFnZzENMAsGA1UE
CxMETGFnZzEZMBcGA1UEAxMQbnVsbHRlc3QubGFnZy5hdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEA9D/qaxhD+b1PhsdWIXF//rcjo+8iVpxdRqEZqjjsJJrd
dWuqCfA1Qbh0LVhYFv7ii8IDJtGNaQVV+dh6f3YQ+4FgasNFzYfs5wBJxkYoxW3l
MVwX2WDetk1WQNAjAixnZqSPkE2y6MWop3s0rLenLvOjO8Sjyc4NSR4eF5GbTR8C
AwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBADrioczWzRUN/LrR1ROXq1k6M0I6uYar
tTfX4QPUBxGVNlVWAQECUsglYy/kDvOzD44pyYB5NrW/0bUnoTIJkuHDT6V6yn4t
5YBK+cz6gr/6yZbrFEQIBhbg9GXKLBlnPOwJLHVSAqihr1WhVIc5jAaIuWnjsZT0
Gyt0c0PnCxtg
-----END CERTIFICATE REQUEST-----

*** then I uploaded the CSR to our webform to get a server certificate, this one...

-----BEGIN CERTIFICATE-----
MIIELzCCAhegAwIBAgIDAIYWMA0GCSqGSIb3DQEBBQUAMFQxFDASBgNVBAoTC0NB
Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMDkwNzMxMTU0NzM4WhcNMTEwNzMx
MTU0NzM4WjAbMRkwFwYDVQQDExBudWxsdGVzdC5sYWdnLmF0MIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQD0P+prGEP5vU+Gx1YhcX/+tyOj7yJWnF1GoRmqOOwk
mt11a6oJ8DVBuHQtWFgW/uKLwgMm0Y1pBVX52Hp/dhD7gWBqw0XNh+znAEnGRijF
beUxXBfZYN62TVZA0CMCLGdmpI+QTbLoxainezSst6cu86M7xKPJzg1JHh4XkZtN
HwIDAQABo4HGMIHDMAwGA1UdEwEB/wQCMAAwNAYDVR0lBC0wKwYIKwYBBQUHAwIG
CCsGAQUFBwMBBglghkgBhvhCBAEGCisGAQQBgjcKAwMwCwYDVR0PBAQDAgWgMDMG
CCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2FjZXJ0Lm9y
Zy8wOwYDVR0RBDQwMoIQbnVsbHRlc3QubGFnZy5hdKAeBggrBgEFBQcIBaASDBBu
dWxsdGVzdC5sYWdnLmF0MA0GCSqGSIb3DQEBBQUAA4ICAQBDxNgRVIyocB+B7CCE
D058ZNnk2z2zJJed3ZzwtNa6Tv0YAOATH5CGAWbRrQikBBv0EsmHyfim8XXYneHP
26LWQ5/I/VHMpgMyRpLBNkOz4QIyDnyKhVY++/rckviYcQv9nDsEvMIiiH7eWbaP
z6h7a5PoZj7glTf9LvPZUlgAwzHYBUl+K6EpOhEIZPokhcGZafVEPJZBBTPrwjbX
KJjGK4ErzFwYeEh+aH5tsSyCiF/MDwhgVyAKCmRdZ4wf5miJTTJ6fOCOgduXJxU4
sa8bysyJ9oVfqHFIdeKGN5x0ySQpwhNFnHbrI/NXdp+5pz0al1WCUTYrRly8lgjg
Kedg1sVCu8eFzZHB0oKqm0+CmmERqr19bPtB/hBPTrEofTAmktW53Jx7i3DA1tlS
pLI2B82zVH0epdh5x0P8GQj7uyzX9Hug+vlVfKe9RteXACBClvvzOSZkl2KY+s+J
5MBNdzg/0H2vCDBf+px4gAJEM+lDXyvC484w3LBVcblDS2RhIg+N/PY5qRzIk/pL
3tv4iMo/Bu0TfZYzMWc4OqNO4vtTISt945pRtrYxX3NEaM/8dGAlcmBL4Whkb16X
6gcTjrNU9OVKav1ZKQDk93zb4jkKMyMgzNiCfmwngzo0kRl/ZH/oEB7ftKsak3ii
UCH2zy9lHaa/KJjUVQfTR1WAlQ==
-----END CERTIFICATE-----

Could someone check them if there is a NULL-char in the domain name?
If it all worked it should be nulltest\0.lagg.at (with a real null char)

regards,

--
Florian Lagg
-
Florian Lagg - IT-Komplettlösungen
Juch 7, 6631 Lermoos
tel +43 (676) 344 677 5
http:/www.lagg.at/ - 
info AT lagg.at
-
Xing: http://www.xing.com/go/invite/7372113.3da562
-

--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim AT holburn.net
  aim://kimholburn
skype://kholburn - PGP Public Key on request







Archive powered by MHonArc 2.6.16.

Top of Page