View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001392 | Main CAcert Website | certificate issuing | public | 2015-07-25 06:20 | 2015-07-30 06:58 |
Reporter | BenBE | Assigned To | BenBE | ||
Priority | immediate | Severity | major | Reproducibility | always |
Status | solved? | Resolution | fixed | ||
Product Version | 2015 Q3 | ||||
Target Version | 2015 Q3 | Fixed in Version | 2015 Q3 | ||
Summary | 0001392: Issue of certificates to arbitrary domains | ||||
Description | An issue was reported regarding the issuance of certificates that allows for issuing certificates to arbitrary domains. | ||||
Tags | No tags attached. | ||||
Reviewed by | NEOatNHNG, BenBE | ||||
Test Instructions | Create a CSR containing evil.com#something.you.own.com (arbitrary domain in front, acceptable domain behind #) and check that normal combinations work. | ||||
|
Review of patch done by Michael Tänzer (NEOatNHNG) and me (BenBE) via phone. In course of review the initial regexp was changed slightly. |
|
Create CSR with this command: openssl req -newkey rsa:4096 -nodes -subj /CN=google.com#www.inopiae.com -----BEGIN CERTIFICATE REQUEST----- MIIEajCCAlICAQAwJTEjMCEGA1UEAwwaZ29vZ2xlLmNvbSN3d3cuaW5vcGlhZS5j b20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCUK62P3biTyhbGhMff 0UNytukvRrtN7WNBfjzGQMbM71DZSj0cV1KGxL7HAFYR4zUbcA5zfbNvT4UHOO/j NTwrYZf4Hj9X3Dgk2wF/e189TKCVoox9ohHYRzpfOYMMmjyYrhk3bixPqjfRLXkE 06NS11vDpPOaGq+rGLO7KqNl5ZVp7CNhdJab8IUSvpJvT3hLWaviz8KYBCVJIo2F 3b0ifgmcTFAKLkL7c3upcrtoB82Q7n5CQGEqFNYMjD0GHOMm7cWa7+1wZ0+yeHtG f6kH/l0j8NgC2AE6OF+W+Oucq7vvafDBgEVf+Rnoz1wgTaQwdDfzawCNdDSgFl6m 2mlX2lqXgIpCwlfrikOVsGlMOB6zi+hzSvu7JiaN4JP3zYBR38JYu0lHvfYvmqUd Fmi6V1m2+OSYF1Au+vJJhZP9zucP5882umurILs1OAR4Hq7LAvDQn/R/90KDyeqx U0c22LRu2v/ge3MbO7Ao6YL2EHEY9SeS8X5UTFowgjEiAi4S9EjVIi5GaZ3tTBh4 /7PQ+VKsZ1bTjlE5ODHuLAmq0rBFSzjnSDBvw7OX7jl1fHXc/z0UakGG+OUrLEzT ft1oa3aTa54BEtNkYfAuu4GZTdxDBewtWjk/gmZ9LjXnIRPFdBKGLfGZF4ZNn1Mn mQuRZDndKGugxTYlJdOfOeOZWQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggIBAEnG Tl6R/o5xEvIWbhbMWg//YabSOqc0WUAK8TIGP8tXKCa+z2ZaxwGas/EL8oPdZvEv DSTR06LiB9jlKJaw7dUUHdvpLyiySt4aQBfPVN8uhrwGpjqMf4DGE9vIPoVLUyow cYNmE46cgytGk8jH6OI4AEzgcMTl+edH++j7vbuZZAMHtg31cTxpZJwYIOh9YZcP 4aU7lxdGOPIVYEzllF0+hkb20wqKLcAYYJelSXOw8bBWmpNWlEdG5rofSDYzIslj dPdugX6VmMXFWYZwKQegDbQ8nBg8h3FMgfh4lHSpnWTVYLRKDovtkCiPh0R2oKFT BrAyi7qtFvJ5Bzd8mH9ur3LpC3aXzL1mJawaU+XkrsUb+a8/rjtKlIAfaT4ISfKj 2+C65PxYgDu8CdDIOhvhONLn2kMyHV+Gvn1zv0HFEkNTYrwARyvo7yeghBzjfy6j K+M7PvFOCujces/A4UsTiBgfSfTycxUQveHRYstyi/AolFTemxNeDBaGau0cs8xK EPBzyTMvObP08JH6/NvrSdQ6+2cowemd1MWFOX+bKsEgnsp445J3Ug+rw77zKQV5 zbjfqyUBhKVUvcFWuPZUb2v5G5Rg9hir3N8s3GDnQMwfwQnNJHPON05/WJDvfc2q FtcRRjMK8okr+6m8S5m/z9FojYYGbWVybddS03XW -----END CERTIFICATE REQUEST----- After submitting the CSR to the system I get this statement: Rejected: google.com#www.inopiae.com => ok After pressing Submit a second time: Domain not verified. => ok =>OK |
|
Domain looney.info in my Testaccount verified. create a csr: openssl req -newkey rsa:4096 -nodes -subj '/CN=google.com#test.looney.info' -----BEGIN CERTIFICATE REQUEST----- MIIEazCCAlMCAQAwJjEkMCIGA1UEAwwbZ29vZ2xlLmNvbSN0ZXN0Lmxvb25leS5p bmZvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu5mrSULK211x+t/c N16WLbWA1nOnanwCUma7O39aYwdj7jNgE233H/5R1xmJKppqkAs13FZ9Si6ohU/O B9hs00wtzGp6C1XfAp9ydxOFu2hsJaSqDHDVcbYfVwK3d2bwTt+pebzmF70LOKx7 5TN6EJPNfTEqxnYyC6Nwy2jGW1vpzES005oeHv4pQPfWQwk9iPlC2OWSeLpRSg3A 1MBDVYS2l+OgUVBYLQL9e6QhfunBm4gqz5uoW1K1CPoEOgONJBn6g9Y0du3TgmxY SXTgC1zqeqGxMf9DlwJEstJtApMHdDGLYzxj0I/LZmFh7ARKlVGharrNWRBDL+cR hpUy98uu4hrq+Wn09nHuxvavj0uuIrmSOibF9zYujW0ox6iHLSSlaMAJuiBcEaV5 QmjixffMyyw7oXQXWRbpj2BHic8WkH80uR1kvt5YSunFTZSZihfBaaIU7kPeSDFj TZRh7yOCL+r1bFu84BbwAbH8E9ljbE65PY83nnlxepspoq51/WRqPMKkrnNDw6cE iPe2eamD67M86Yp6E7c5e2WfpKRjAho5JWmt79exfDgjA6wgJ4ANLT2fiqjqY+W3 BFWUcJNhhHjvXgfROf6CC6xj9OSlMrTv68CLHzSSWBcC4Yvj0C4bX3LK/eMWh8wz WQROy4L1hOaxpgoUuyEDzs/WZTkCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4ICAQBr dmw9KsVJqP9y/o7FtlsQKv7Hbj5KkoNmL1fB0p5MS6+mVkzhMm9NuTyl+vpJeiaM 6PaTlhuYhZqC7TwblgSM+YoHTRXHKrfHxFIDD7CNGSxWHukpHspqF46gd6ECrT6m MESHPmNcP9xO0utIs0rYTRusWTka4KH3Swbv3HFA7KydzrD9NUd8h7GR/624Vr8M t0ZJLf3rmcvh/+BT9Et5EzqArMWZRZQhO8BFTu3Ms2GPVemUNRsI0+ATsQEiOD4q C2gFdnUZznY5Xm7zCL7jTrntBCBORWRaunG4dwyaPzj0WTV7jKvZCi/NfJ83Hgyi 03xz/DkZFY92pXtSCHZ+PqqwfZKs/2eAnSKmKYJWfGU6xzdofluGCKuMcpM2EV5j 7s9ozn3NxcH/iWDa6isrxJ/Wbrw95bEhgpL8GV1x0Vf95NfowVmsMuUndWwEiyXU 0Uls5HMZ/bVqAXA6NWT/MgF78c0Tza5p+AZpokgw13fhDQK66koAUcJ8y5yCPoBD Ml9iNNcb73e5WaN/HQw3Lul3+wPiVf8hzlM05uOZ4Q/y7fUgMk6IhUvEr+2zbNek ATSeO+XX4k+7XT/OAZX0zYxHU0VVEFhdZBfOWTm8Ua8rgyoJGMm2q0w65XZyBk2I K6zUe0UdZXLq3HEPTZAOVVw6POw0tjxVHoa8Axs49g== -----END CERTIFICATE REQUEST----- Answer1 in german: Die folgenden Hostnamen wurden abgelehnt, da das System diese nicht Ihrem Konto zuordnen konnte. Wenn die Hostnamen gültig sind, dann fügen Sie Ihrem Konto die entsprechenden Domains hinzu. Abgelehnt: google.com#test.looney.info Answer2 in german: Die Domain ist nicht bestätigt. This is equal to the Test before. |
|
The webserver part of the patch has been installed on the production server on July 25, 2015. See also the log message recorded here: https://lists.cacert.org/wws/arc/cacert-systemlog/2015-07/msg00003.html The signer part of the patch will be installed next week, arrangements for access to the secured site are in progress. |
|
report from ticket s20150719.73: It seems there is a bug in the portal. Since this modification, I am no longer able to use alternate DNS for my certificate: BEGIN QUOTE The following hostnames were rejected because the system couldn't link them to your account, if they are valid please verify the domains against your account. Rejected: *.aaaa.net Rejected: bbbbbbb.com Rejected: *.bbbbb.com END QUOTE |
|
The test with the CSR from above still shows the same behavior. => ok A test with SAN DNS:www.inopiae.com,DNS:*.www.inopiae.com,DNS:project-biz.de -----BEGIN CERTIFICATE REQUEST----- MIICrzCCAZcCAQAwGjEYMBYGA1UEAxMPd3d3Lmlub3BpYWUuY29tMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ZnXrsYOPgAYyQGU7YGMPwGGMk+r64Hg sckSNZd61PaTzLaCXmtyZmEa2NR7k/qZbhHh9kzpuCOGmkeSAW4bge/NJoe+EVu6 dCExQJqjn8MkK0CQzLjpRGvWX4W+GiRr00PG47MSphbBGoXzRSzi7FyrKwSdERTJ vg0dkO9ayHicmdQbi38vrjAEdSqzhcxY0d4EDczUWDa5h9qnq1EJprFhUmPrllVF A5dPFcSUiwcGIbAz0AmhGCnPCOFIZSOjBVNUP+23XdXLLV8XCQJZAGCtgwOBX4vc akwnQy6aInj989hIfqn0fVs5ykys7A37UlNGJx0U7M8v9JpuGsDwLwIDAQABoFAw TgYJKoZIhvcNAQkOMUEwPzA9BgNVHREENjA0gg93d3cuaW5vcGlhZS5jb22CESou d3d3Lmlub3BpYWUuY29tgg5wcm9qZWN0LWJpei5kZTANBgkqhkiG9w0BAQUFAAOC AQEAgsvdlozi4R7vpuuqsOO62CK9Yk+UAr6a1EiRQKTBbf8C0UcyCSZoJ5Sj6KKL J3U2REM3lTokX8jFxA6yt0COkf/tx1myZnoFn1Sh1X+M0ErRS+6QdON7tZS5ql0d aYDzG0vVs2OKKIOU7lflw/WTDT6a+2e5TFwJJDWHnhdqfRkNb12H+oUlcaH4wJjw ARDi62kxMdQ+1YwSam/CSPPFsm+Y2F0u5xGo37Qet7lImrGx3tWzM51ebot1Gh8m 3sy+hE/iqQhROZfKVcj1Xvq2vm1LgJIerh0kGLiTRZjLKPEgTXky7hFibNemKjnB matlC2rKDs6xE71BtJ2PHrQ8tw== -----END CERTIFICATE REQUEST----- works: => ok => ok |
|
Tested on the current testsystem with a account which owns the domain 'janis-streib.de'. Created CSR with the command openssl req -newkey rsa:4096 -nodes -subj /CN=google.com#janis-streib.de -> Rejected => OK Created CSR with the command openssl req -newkey rsa:4096 -nodes -subj /CN=janis-streib.de -> Accepted => OK Created CSR with the command openssl req -newkey rsa:4096 -nodes -subj /CN=*.janis-streib.de -> Accepted => OK Created CSR with the command openssl req -newkey rsa:4096 -nodes -subj /CN=*.janis-streib.de/CN=google.com#janis-streib.de -> The google one gets rejected => OK Created CSR with the command openssl req -newkey rsa:4096 -nodes -subj /CN=google.com?janis-streib.de -> Rejected => OK Generated CSR with the command openssl req -newkey rsa:4096 -nodes -subj /CN=*.www.janis-streib.de/CN=janis-streib.de/CN=*.janis-streib .de -> All domain accepeted and in the cert => OK =>PASSED |
|
Test Domain looney.info with my Testaccount csr: openssl req -newkey rsa:4096 -nodes -subj '/CN=google.com#test.looney.info -----BEGIN CERTIFICATE REQUEST----- MIIEazCCAlMCAQAwJjEkMCIGA1UEAwwbZ29vZ2xlLmNvbSN0ZXN0Lmxvb25leS5p bmZvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu5mrSULK211x+t/c N16WLbWA1nOnanwCUma7O39aYwdj7jNgE233H/5R1xmJKppqkAs13FZ9Si6ohU/O B9hs00wtzGp6C1XfAp9ydxOFu2hsJaSqDHDVcbYfVwK3d2bwTt+pebzmF70LOKx7 5TN6EJPNfTEqxnYyC6Nwy2jGW1vpzES005oeHv4pQPfWQwk9iPlC2OWSeLpRSg3A 1MBDVYS2l+OgUVBYLQL9e6QhfunBm4gqz5uoW1K1CPoEOgONJBn6g9Y0du3TgmxY SXTgC1zqeqGxMf9DlwJEstJtApMHdDGLYzxj0I/LZmFh7ARKlVGharrNWRBDL+cR hpUy98uu4hrq+Wn09nHuxvavj0uuIrmSOibF9zYujW0ox6iHLSSlaMAJuiBcEaV5 QmjixffMyyw7oXQXWRbpj2BHic8WkH80uR1kvt5YSunFTZSZihfBaaIU7kPeSDFj TZRh7yOCL+r1bFu84BbwAbH8E9ljbE65PY83nnlxepspoq51/WRqPMKkrnNDw6cE iPe2eamD67M86Yp6E7c5e2WfpKRjAho5JWmt79exfDgjA6wgJ4ANLT2fiqjqY+W3 BFWUcJNhhHjvXgfROf6CC6xj9OSlMrTv68CLHzSSWBcC4Yvj0C4bX3LK/eMWh8wz WQROy4L1hOaxpgoUuyEDzs/WZTkCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4ICAQBr dmw9KsVJqP9y/o7FtlsQKv7Hbj5KkoNmL1fB0p5MS6+mVkzhMm9NuTyl+vpJeiaM 6PaTlhuYhZqC7TwblgSM+YoHTRXHKrfHxFIDD7CNGSxWHukpHspqF46gd6ECrT6m MESHPmNcP9xO0utIs0rYTRusWTka4KH3Swbv3HFA7KydzrD9NUd8h7GR/624Vr8M t0ZJLf3rmcvh/+BT9Et5EzqArMWZRZQhO8BFTu3Ms2GPVemUNRsI0+ATsQEiOD4q C2gFdnUZznY5Xm7zCL7jTrntBCBORWRaunG4dwyaPzj0WTV7jKvZCi/NfJ83Hgyi 03xz/DkZFY92pXtSCHZ+PqqwfZKs/2eAnSKmKYJWfGU6xzdofluGCKuMcpM2EV5j 7s9ozn3NxcH/iWDa6isrxJ/Wbrw95bEhgpL8GV1x0Vf95NfowVmsMuUndWwEiyXU 0Uls5HMZ/bVqAXA6NWT/MgF78c0Tza5p+AZpokgw13fhDQK66koAUcJ8y5yCPoBD Ml9iNNcb73e5WaN/HQw3Lul3+wPiVf8hzlM05uOZ4Q/y7fUgMk6IhUvEr+2zbNek ATSeO+XX4k+7XT/OAZX0zYxHU0VVEFhdZBfOWTm8Ua8rgyoJGMm2q0w65XZyBk2I K6zUe0UdZXLq3HEPTZAOVVw6POw0tjxVHoa8Axs49g== -----END CERTIFICATE REQUEST----- Answer1: After the submission of the CSR the Request was denied by error: The Hostnames was rejected. The Domains are not verified to your Domain. Answer2: The Domain is not verified. => OK csr: openssl req -newkey rsa:4096 -nodes -subj '/CN=looney.info/CN=test.looney.info/CN=*.looney.info' -----BEGIN CERTIFICATE REQUEST----- MIIEjjCCAnYCAQAwSTEUMBIGA1UEAwwLbG9vbmV5LmluZm8xGTAXBgNVBAMMEHRl c3QubG9vbmV5LmluZm8xFjAUBgNVBAMMDSoubG9vbmV5LmluZm8wggIiMA0GCSqG SIb3DQEBAQUAA4ICDwAwggIKAoICAQDBYygKxWEbeJB0M8vWB+ML1f/pZRkPa3fZ 7m/YT1fE7UkIZictXizZYmdwsa6q/DEDNNHzHpn/wIOpVzLV1OaeKLXP6018uh5c R39HcCPkOBY4KYS31BcQx5Or13wG1UhQ5UtB8HvDWix/hnqwzIBAkBC0zeXvFjra WcQRctxniwfKvz173bedJ9m2DAiTgUUCHarb1/hqEfUnhQIzn0E8P8atzYXctR6j wiF6svj7Kl7k1rnxR2AX0t6jto3PPYjSNK1kJ9CRXlkcmyuVgQDAU3TioBqdWOW/ KIjYrmgMmHVsMBomBbbk9HYENbqdxpE3xjr3EqQ2CzVxJhWhvqsHO/Qv2DB++OqJ gnjeqxtlePPG/AjuZAYmnxoWBTWScWd7qfqmY/kchEmeAKaAL0FZEl1SipgRsWuv OBHmLphZzDUv5Fnw930dQnp0LEmllk3C7AlXMZuJLWKonXlBA3YHh/E0GyRUDJ4C z9/k11snsWQTf813NhRrscZradccJdodQhWcXw2pgU0g5HQZLw20RZq9qCv7DAgl htQcIcLYHX4WJ5Y2ujx+RsuY2tPWlaMaBYeFOZeNjVCdEnZCS0rynOxBrw9JfZ2z 0dRGWlVumZE4pRjtnVed//geBrBFyXv77u+etx88ukMXsI2bQaQNEMDoH2uwSnLU fHw7PjhtZQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggIBADv61rrNHUMhs+vBy5Rc 0Wi+VWiKxgGAxcRJa2hhPfYa/qKMrcQPNCHkVOUuU9wYxt9N5MUG496yRd/GD3jH jF0ebNvCv/xcM8z+02DR82zqjjogXL831xrTAIp0BIM1KYTnws1L+7rM2k+NN8zl 7peCYKTYvX4M0Q4A2y5eUkT1oX2GL1Bw1AmCkJyIkNJSjl7cZ/j7eYXSuzZ49MRW in4FH8hv8eWErD0btyXfU/hpVy6YJCtYZwou6qjkWFSpdQZERIt+LuKm5zXkfuzB qSrHnHMCqnGU6QB8lSQbR3Ml+h7i8ks2Gr/bud5PLNG2VitE0O0SIYSNcg8756fb BRqbTBkpFEs9Ls1mo4dOaK2wORaiojuvyjriIVsyKLIyqkLz9oN5IHQNZ7Hl1ytI aPWPQiiH/fe1b78GlUFNCnRtqEvwDzml1ZPumPAKvGFXrbN+WCbfradoeqXCElc9 UdlAZhbGEw/1PXbW22I34vzvP6YZFdyYwU2fv+ZVGLV21ccF0rjwTjvLB+n2/KAT RHgfmcjjQY0+kKoMtkXOcUp56c0Vjq2MUBwc7ZBtOHT5f51Xv4sWRntuDWWyE+x7 lCepHViri/1jpikW/HFov5QO5ynMPldKSzPBVKUAeTBFGbeq3H13da6ExLwtN2+j u/GBBKuqxlvlYNzj9aur5Hkd -----END CERTIFICATE REQUEST----- Answer1: All 3 Names are accepted => OK Answer2: The Certificate was issued => OK |
|
The additional part of the patch for the webserver side has been installed on the production server on July 27, 2015. See also the log message recorded here: https://lists.cacert.org/wws/arc/cacert-systemlog/2015-07/msg00004.html [^] The signer part of the patch will be installed later this week, arrangements for access to the secured site are in progress. |
|
The signer part of the fix has been installed on the production server on July 29, 2015, by means of a visit to the hosting centre. See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2015-07/msg00008.html |
Date Modified | Username | Field | Change |
---|---|---|---|
2015-07-25 06:20 | BenBE | New Issue | |
2015-07-25 06:20 | BenBE | Assigned To | => BenBE |
2015-07-25 12:53 | BenBE | Reviewed by | => NEOatNHNG, BenBE |
2015-07-25 12:53 | BenBE | Test Instructions | => Create a CSR containing evil.com#something.you.own.com (arbitrary domain in front, acceptable domain behind #) |
2015-07-25 12:53 | BenBE | Status | new => needs review & testing |
2015-07-25 12:55 | BenBE | Note Added: 0005429 | |
2015-07-25 12:56 | INOPIAE | Note Added: 0005430 | |
2015-07-25 13:47 | StefanT | Note Added: 0005431 | |
2015-07-25 15:32 | wytze | Note Added: 0005432 | |
2015-07-25 21:51 | INOPIAE | Note Added: 0005433 | |
2015-07-25 21:52 | INOPIAE | Note Added: 0005434 | |
2015-07-26 15:29 | INOPIAE | Test Instructions | Create a CSR containing evil.com#something.you.own.com (arbitrary domain in front, acceptable domain behind #) => Create a CSR containing evil.com#something.you.own.com (arbitrary domain in front, acceptable domain behind #) and check that normal combinations work. |
2015-07-26 16:11 | janmaco | Note Added: 0005435 | |
2015-07-26 19:14 | StefanT | Note Added: 0005436 | |
2015-07-27 07:29 | wytze | Note Added: 0005437 | |
2015-07-28 19:31 | BenBE | Status | needs review & testing => ready to deploy |
2015-07-29 10:29 | wytze | Note Added: 0005441 | |
2015-07-29 10:29 | wytze | Status | ready to deploy => solved? |
2015-07-29 10:29 | wytze | Fixed in Version | => 2015 Q3 |
2015-07-29 10:29 | wytze | Resolution | open => fixed |
2015-07-30 06:58 | BenBE | View Status | private => public |