From owner-freebsd-security@FreeBSD.ORG Wed May 13 21:45:08 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6B6FD5C1 for ; Wed, 13 May 2015 21:45:08 +0000 (UTC) Received: from briareus.schulte.org (briareus.schulte.org [198.204.225.190]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 38DB51A98 for ; Wed, 13 May 2015 21:45:08 +0000 (UTC) Received: from briareus.schulte.org (localhost [127.0.0.1]) by briareus.schulte.org (Postfix) with ESMTP id 39D331283B; Wed, 13 May 2015 16:44:01 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=schulte.org; h=from:to :cc:subject:date:message-id:references:in-reply-to:content-type :mime-version; s=20130123; i=christopher@schulte.org; bh=FA2xiP+ Cw8qipuUhjRUMp6SZzsgHXsIb70FuqDb5AQI=; b=oqrOd3fw+nuUY2XaflBjiVR CTWC4gZm8pW3TVhlXQWq739BXliLYIO33l4kgLbOeqbKNlZdahkdghcqu0j8HKYQ VX8dHLLCM5igHDBsGsyLbHerQ0T0zPGCkOXmwGcTSlCigYn5OxpUz7Ng/HMHgoYb JVdoeRoMLftV9Araiwco= x-schulte-info1: relayed through postfix client submission Received: from exchange2013.windows2012r2.schulte.org (10.200.1.188) by exchange2013.windows2012r2.schulte.org (10.200.1.188) with Microsoft SMTP Server (TLS) id 15.0.847.32; Wed, 13 May 2015 16:44:00 -0500 Received: from exchange2013.windows2012r2.schulte.org ([fe80::695c:2eae:3d60:8cd7]) by exchange2013.windows2012r2.schulte.org ([fe80::695c:2eae:3d60:8cd7%16]) with mapi id 15.00.0847.030; Wed, 13 May 2015 16:44:00 -0500 From: Christopher Schulte To: Paul Franklin CC: "freebsd-security@freebsd.org" , "james.c.elstone@ntlworld.com" Subject: Re: Forums.FreeBSD.org - SSL Issue? Thread-Topic: Forums.FreeBSD.org - SSL Issue? Thread-Index: AQHQjYksd5yFNg2CT0KEUKGfJDHR1J16xJQA Date: Wed, 13 May 2015 21:43:59 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-schulteexchange-note1: origination IP removed Content-Type: multipart/signed; boundary="Apple-Mail=_1DDE75A2-EE18-4E2F-8D96-78B24D432159"; protocol="application/pkcs7-signature"; micalg=sha1 MIME-Version: 1.0 X-Virus-Scanned: ClamAV using ClamSMTP X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 May 2015 21:45:08 -0000 --Apple-Mail=_1DDE75A2-EE18-4E2F-8D96-78B24D432159 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On May 13, 2015, at 9:29 AM, Paul Franklin = wrote: >=20 > Hi James, >=20 > Yes I agree, it looks like the wrong intermediate cert has been = used... >=20 > Certificate: > Subject: CN=3Dforums.freebsd.org > Issuer: CN=3DGandi Standard SSL CA 2 >=20 > Intermediate: > Subject: CN=3DGandi Standard SSL CA >=20 > The certificate issuer CN doens't match the intermediate subject CN > (note the missing 2) I=E2=80=99ll chime here with a related resource I use from time to time, = specifically with regard to website TLS/SSL certs. First, see: = http://perspectives1.schulte.org:8080/?host=3Dforums.freebsd.org&port=3D44= 3&service_type=3D2& Which is designed to be used with the Perspectives web browser plugin, = allowing supported browsers to query a set of trusted notary servers in = real time, comparing the certs (well, actually just the fingerprint of = the certs) stored in the notary servers with with the browser sees. = That can be used to potentially detect MITM attacks, even those using = trusted-CA-issued certs with would pass the browser=E2=80=99s trust = test. Separate from using it in-line with my web browser to help secure my = day-to-day browsing, I from time-to-time also manually query one of my = notaries, looking for cert history for a given target site. In this = case, it quickly allowed me to see that a new cert appears to have been = installed recently on the forums site, replacing the old one which had = been used since October of last year. It=E2=80=99s a slick tool. I use it along with other tools that query = things like DANE/DNSSEC properties (BTW: thanks, FreeBSD, for publishing = signed TLSA records!). You can see more about my Perspectives setup at = https://noc.schulte.org/perspectives.html, which also has a link to the = project=E2=80=99s homepage. You can pull down the server code and setup = your own set of trusted servers. I spread mine out across different = networks, improving the chance of detecting malicious activity. > Regards, > Paul. Chris --Apple-Mail=_1DDE75A2-EE18-4E2F-8D96-78B24D432159 Content-Disposition: attachment; filename="smime.p7s" Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMZDCCBdkw ggPBoAMCAQICBxVsRjc7CPAwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoT DVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25p bmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAxNDIx MDI1NVoXDTIyMTAxNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBM dGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQD Ey9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L 3aTxErQ+fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lR P1aycBke/s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9Ye jvAXZqHksw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy 6FZH3XHHtOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEA AaOCAUwwggFIMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSu VYNv7DHKufcd+q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBpBggr BgEFBQcBAQRdMFswJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAwBggr BgEFBQcwAoYkaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvY2EuY3J0MDIGA1UdHwQrMCkw J6AloCOGIWh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDBDBgNVHSAEPDA6MDgGBFUd IAAwMDAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjANBgkq hkiG9w0BAQsFAAOCAgEAlNgU+n+Oa32jTcNKByC/CBnMaaLdHWp0mfjIiY4fKs6/0fyn31Is8lYD IepA+ll5CtSyIF3NkhbuSmrvWbiXJQxHFO/nuT9I6xz4ecry2XmoAhLDL4el2zDzG3lsJUal9jlG OSu7vxw5B6/yBObE9IyfT6dWcStO1GjEum8MTozsM4VUGUrm5er2IcVHn6k9ilNV8oTqFAtha3VC If6ma8sHftsPHviEagSIyg0L9cVbBIFBxyNfYF8a42QFL1gexHlbPGqDrBFZLAH4C/cAWpOCNpF+ gOgwE/omOBVwBdk7S+G/CDDdWvtUvG7nEDplx4eV9PHIS4lX7uRfSqQEEnp9FNhyyF3a5tP911Jf KVCG8pVZIp0OEqHXpSHR+c8zGxg+vcuE/KdAdlZl/zK0XJH6//B8xIP+sXIHug1sP5W4LVbibTwb iyoNwShVLfyoSKqhZnueGPFPBnQKDw10KtlQ1P0Dt5fXZ/CJMtGO0AdAOrarYmT72ZPhrhKfiBFa K8Z1AlqEegX6tW5/mzAWiv6PN0uDvL5TKol6vydP5X7xvlOyxv4984RwpahljlmIi0KOfo45nPMB kn9f2X9JcS8wjo7XRJU0KTunuwmqg1tPKEZ7HzR3jDFXCUZNDHZE6m164CDyYjDP8Nhdh2sQl20e tvpqH3/Lrjy7aqdRotQwggaDMIIFa6ADAgECAgI/ezANBgkqhkiG9w0BAQUFADCBjDELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENl cnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRl cm1lZGlhdGUgQ2xpZW50IENBMB4XDTEzMTIwMTAwMjcxNFoXDTE1MTIwMjE3MTQyMFowgZoxGTAX BgNVBA0TEFRUOUdkOUI0RjIxaDh2U0MxCzAJBgNVBAYTAlVTMRIwEAYDVQQIEwlNaW5uZXNvdGEx FjAUBgNVBAcTDUJyb29rbHluIFBhcmsxHDAaBgNVBAMTE0NocmlzdG9waGVyIFNjaHVsdGUxJjAk BgkqhkiG9w0BCQEWF2NocmlzdG9waGVyQHNjaHVsdGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAso+G404JkrQIxKHOfTq15BEaQcWdBDbR8hihftKkEfZQExsH0iCoi/VpLzsQ Kea9ldkz3MSIfJGg5kckFtfwb/gkFq4KS7wC0B/FP65bdcKpLaBc6x8Hxk27MChoO1KF1PMR4q5F 4TqSPQGGwjehopeBFwtw4ah6VwNnbB9FkYSmy5bzKKJ2uFovzXmn1nz6tyWp/pa4z+2kqESzRtSr U8apDCdbw+Xtl2mgQZOXi8AdhBGr2tSjqWhWeZnSHfHl6q49hAJLPVgymapyiu09gcoebVjjZiFX yq0x/ufYL5DzSvzdQIyNu3Bljkm5X66W+mTt2Y6aJi4SJ4mzfxfzEQIDAQABo4IC3TCCAtkwCQYD VR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1Ud DgQWBBR185DC0GGoCAcoQ4psKVjpddjz3zAfBgNVHSMEGDAWgBSuVYNv7DHKufcd+q9rMfPIHeOs uzAiBgNVHREEGzAZgRdjaHJpc3RvcGhlckBzY2h1bHRlLm9yZzCCAUwGA1UdIASCAUMwggE/MIIB OwYLKwYBBAGBtTcBAgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9w b2xpY3kucGRmMIH3BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eTADAgEBGoG+VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUg Q2xhc3MgMiBWYWxpZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5 LCByZWxpYW5jZSBvbmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9m IHRoZSByZWx5aW5nIHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8v Y3JsLnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUF BzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYIKwYB BQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50LmNh LmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQAD ggEBADkFdQaRJ/aSHKds1KEAboxXG9rT8ac+Fqe2Y179nRiaQSfadJNglW5qlakaIm6XvSuBt79j RzHRwXpdpCqVnhg495YhTcIjTe8xp+kD7yUEXzp1eyk9OU2af9dIiqli/ZyuQ5YhkUpb8ap5KIfC hqOI2292+8sLRkW4vuFwwdAP9qFny99r5zw7rhYX1WyqEMxIu7QQ+8jWkspZXKPok8WXhgPnslxf NZTezAkzEvmk+TPCMZT0QVQx2dGY1cOhYSbFVSCaS7RxvjJQfKeQcbgEEKD4tWfPcYdjmxwH1t6a +p1+lUfYEJutyUGbZHOvD1cJ1YTH1xR/A2jjDpqDDQsxggNsMIIDaAIBATCBkzCBjDELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENl cnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRl cm1lZGlhdGUgQ2xpZW50IENBAgI/ezAJBgUrDgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZI hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNTA1MTMyMTQzNTlaMCMGCSqGSIb3DQEJBDEWBBS7+lKx 1MIu3WvEdMY7MCuBmCr8HzCBpAYJKwYBBAGCNxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQG A1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUg U2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBD bGllbnQgQ0ECAj97MIGmBgsqhkiG9w0BCRACCzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgI/ezANBgkqhkiG9w0BAQEFAASCAQA/rCy6lnca/AdNMfWCBwToCL1dxPEa3F6nJZdf ZPXmwIek13Qq23FEKIxuKn8qSMNFmKdY0tgAA0R6j0f+Whg/eSnHTEuNqsaGKjppvbuYnG9NCUjp N/FrO+Xd8GzS6mvRqIKfm7xBy8Ho1vHQhBXhYTwIzkJwmvYxoSA9LfaQmDCmoaMa/yvrvLDiFwNf DwFZ7Cd8JVC99eJxoUjslZfZ3M8kLB4I0WwpuIETDAQNOYbjM5W6+kGJvPwNFJnIWzci8FpfoTbH djuCtqOhEOnSBGQWgQyR/qxNVAOc8DBznpT22rWB2Lv/R1ny2g8jKy3l9SZUuARIi5G7FWJ0UfoY AAAAAAAA --Apple-Mail=_1DDE75A2-EE18-4E2F-8D96-78B24D432159--