FreeBSD Mail Archives

Date:      Wed, 13 May 2015 21:43:59 +0000
From:      Christopher Schulte <christopher@schulte.org>
To:        Paul Franklin <paul.franklin@grg.com>
Cc:        "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, "james.c.elstone@ntlworld.com" <james.c.elstone@ntlworld.com>
Subject:   Re: Forums.FreeBSD.org - SSL Issue?
Message-ID:  <F90A5645-3C38-4BE5-93D7-483FB68E105A@schulte.org>
In-Reply-To: <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com>
References:  <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com>


[-- Attachment #1 --]
> On May 13, 2015, at 9:29 AM, Paul Franklin <paul.franklin@grg.com> wrote:
> 
> Hi James,
> 
> Yes I agree, it looks like the wrong intermediate cert has been used...
> 
> Certificate:
>  Subject: CN=forums.freebsd.org
>  Issuer: CN=Gandi Standard SSL CA 2
> 
> Intermediate:
>  Subject: CN=Gandi Standard SSL CA
> 
> The certificate issuer CN doens't match the intermediate subject CN
> (note the missing 2)

I’ll chime here with a related resource I use from time to time, specifically with regard to website TLS/SSL certs.

First, see:

http://perspectives1.schulte.org:8080/?host=forums.freebsd.org&port=443&service_type=2&;

Which is designed to be used with the Perspectives web browser plugin, allowing supported browsers to query a set of trusted notary servers in real time, comparing the certs (well, actually just the fingerprint of the certs) stored in the notary servers with with the browser sees.  That can be used to potentially detect MITM attacks, even those using trusted-CA-issued certs with would pass the browser’s trust test.

Separate from using it in-line with my web browser to help secure my day-to-day browsing, I from time-to-time also manually query one of my notaries, looking for cert history for a given target site.  In this case, it quickly allowed me to see that a new cert appears to have been installed recently on the forums site, replacing the old one which had been used since October of last year.

It’s a slick tool.  I use it along with other tools that query things like DANE/DNSSEC properties (BTW: thanks, FreeBSD, for publishing signed TLSA records!).

You can see more about my Perspectives setup at https://noc.schulte.org/perspectives.html, which also has a link to the project’s homepage.  You can pull down the server code and setup your own set of trusted servers.  I spread mine out across different networks, improving the chance of detecting malicious activity.

> Regards,
> Paul.

Chris

[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
��d0��0���lF7;�0
	*�H��
0}10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1)0'U StartCom Certification Authority0
071014210255Z
221014210255Z0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 2 Primary Intermediate Client CA0�"0
	*�H��
�0�
��(�E�,��3�*�
��U�]"�gF�S��ݤ��>}�m
�w鞆F����������A7��~�
��|-�q���l"�/��Q?V�p��`�G�&viĜ�73�������������{B���'87�d�s�	N���f��z1%T�I����I���|�2o/��mD���� �\t�	:0�������8���VG�qǴ�3R����p}��JTz��F�;&���X}r���D�� ����Q6���L0�H0U�0�0U�0U�U�o�1ʹ���k1��㬻0U#0�N��@[�i�0�4hC�A��0i+]0[0'+0�http://ocsp.startssl.com/ca00+0�$http://aia.startssl.com/certs/ca.crt02U+0)0'�%�#�!http://crl.startssl.com/sfsca.crl0CU <0:08U 000.+"http://www.startssl.com/policy.pdf0
	*�H��
�����k}�M�J ��i��jt��ȉ�*ο����R,�V!�@�Yy
Բ ]͒�Jj�Y��%G��?H��y���y��/���0�yl%F��9F9+��9�����O�Vq+N�hĺoN��3�TJ����!�G��=�SU��akuB!��k�~���j��
��[�A�#_`_�d/X�y[<j��Y,��Z��6�~��0�&8p�;K�0�Z�T�n�:eǇ����K�W��_J�z}�r�]�����R_)P��Y"��ץ!���3>�˄��@vVe�2�\����|ă��r�
l?��-V�m<�*
�(U-��H��f{��Ot

t*�P�����g��2ю�@:��bd�ٓ���Z+�uZ�z��n�0���7K���S*�z�'O�~�S���=�p��e�Y��B�~�9���_�Iq/0���D�4);��	��[O(F{4w�1W	FMvD�mz� �b0���]�k�m��jˮ<�j�Q��0��0�k�?{0
	*�H��
0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 2 Primary Intermediate Client CA0
131201002714Z
151202171420Z0��10U
TT9Gd9B4F21h8vSC10	UUS10U	Minnesota10U
Brooklyn Park10UChristopher Schulte1&0$	*�H��
	christopher@schulte.org0�"0
	*�H��
�0�
�����N	��ġ�}:��Aŝ6���~Ҥ�P� ���i/;)潕�3�Ĉ|���G$��o�$�
K���?�[u©-�\��M�0(h;R����E�:�=��7����p�zWglE���˖�(�v�Z/�y��|��%��������D�FԫSƩ'[���i�A�������ԣ�hVy�����=�K=X2��r��=��mX�f!Wʭ1���/��J��@���pe�I�_���d�َ�&.'������0��0	U00U�0U%0++0Uu���a�(C�l)X�u���0U#0��U�o�1ʹ���k1��㬻0"U0�christopher@schulte.org0�LU �C0�?0�;+��70�*0.+"http://www.startssl.com/policy.pdf0��+0��0' StartCom Certification Authority0��This certificate was issued according to the Class 2 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations.06U/0-0+�)�'�%http://crl.startssl.com/crtu2-crl.crl0��+��009+0�-http://ocsp.startssl.com/sub/class2/client/ca0B+0�6http://aia.startssl.com/certs/sub.class2.client.ca.crt0#U0�http://www.startssl.com/0
	*�H��
�9u�'���lԡn�W���>��c^���A'�t�`�nj��"n��+���cG1��z]�*��8��!M�#M�1���%_:u{)=9M��H��b���C�!�J[�y(����ov��FE���p����g��k�<;��l��H����֒�Y\��ŗ��\_5���	3���3�1��AT1�ј�áa&�U �K�q�2P|��q����g�q�c��ޚ��~�G����A�ds�W	Մ��h���
1�l0�h0��0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 2 Primary Intermediate Client CA?{0	+���0	*�H��
	1	*�H��
0	*�H��
	1
150513214359Z0#	*�H��
	1��R���.�k�t�;0+��*�0��	+�71��0��0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 2 Primary Intermediate Client CA?{0��*�H��
	1�����0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 2 Primary Intermediate Client CA?{0
	*�H��
�?�,��w�M1����]���^�%�_d������t*�qD(�n**H�E��X��Dz�G�Z?y)�LK��Ɔ*:i����oM	H�7�k;���l��kѨ����A�����Є�a<�Bp��1� =-���0����+뼰�_Y�'|%P���q�H앗���$,�l)��
9��3���A���
��[7"�Z_�6�v;������d����MT��0s���ڵ�ػ�GY��#+-��&T�H���btQ�

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F90A5645-3C38-4BE5-93D7-483FB68E105A>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation