freebsd security - May 2015 - Forums.FreeBSD.org - SSL Issue?

Hi James,

Yes I agree, it looks like the wrong intermediate cert has been used...

Certificate:
  Subject: CN=forums.freebsd.org
  Issuer: CN=Gandi Standard SSL CA 2

Intermediate:
  Subject: CN=Gandi Standard SSL CA

The certificate issuer CN doens't match the intermediate subject CN
(note the missing 2)


Regards,
Paul.
This e-mail message including any attachment(s) is intended for the addressee
only and may be confidential. If you are not the intended addressee, we request
that you notify us immediately and delete this e-mail including any
attachment(s), without copying, forwarding, disclosing or using this (these) in
any other way.

Registered Name: The Grass Roots Group UK Ltd Place of Incorporation: England
& Wales
Registered Office: Pennyroyal Court, Station Road, Tring, Herts. HP23 5QY
Registered No.: 4155659

Qualys report chain issues

Sent from my iPhone
> On 13 May 2015, at 16:29, Paul Franklin <paul.franklin at grg.com>
wrote:
> 
> Hi James,
> 
> Yes I agree, it looks like the wrong intermediate cert has been used...
> 
> Certificate:
>  Subject: CN=forums.freebsd.org
>  Issuer: CN=Gandi Standard SSL CA 2
> 
> Intermediate:
>  Subject: CN=Gandi Standard SSL CA
> 
> The certificate issuer CN doens't match the intermediate subject CN
> (note the missing 2)
> 
> 
> Regards,
> Paul.
> This e-mail message including any attachment(s) is intended for the
addressee only and may be confidential. If you are not the intended addressee,
we request that you notify us immediately and delete this e-mail including any
attachment(s), without copying, forwarding, disclosing or using this (these) in
any other way.
> 
> Registered Name: The Grass Roots Group UK Ltd Place of Incorporation:
England & Wales
> Registered Office: Pennyroyal Court, Station Road, Tring, Herts. HP23 5QY
> Registered No.: 4155659
> 
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at
freebsd.org"

> On May 13, 2015, at 9:29 AM, Paul Franklin <paul.franklin at grg.com>
wrote:
> 
> Hi James,
> 
> Yes I agree, it looks like the wrong intermediate cert has been used...
> 
> Certificate:
>  Subject: CN=forums.freebsd.org
>  Issuer: CN=Gandi Standard SSL CA 2
> 
> Intermediate:
>  Subject: CN=Gandi Standard SSL CA
> 
> The certificate issuer CN doens't match the intermediate subject CN
> (note the missing 2)
I?ll chime here with a related resource I use from time to time, specifically
with regard to website TLS/SSL certs.

First, see:

http://perspectives1.schulte.org:8080/?host=forums.freebsd.org&port=443&service_type=2&

Which is designed to be used with the Perspectives web browser plugin, allowing
supported browsers to query a set of trusted notary servers in real time,
comparing the certs (well, actually just the fingerprint of the certs) stored in
the notary servers with with the browser sees.  That can be used to potentially
detect MITM attacks, even those using trusted-CA-issued certs with would pass
the browser?s trust test.

Separate from using it in-line with my web browser to help secure my day-to-day
browsing, I from time-to-time also manually query one of my notaries, looking
for cert history for a given target site.  In this case, it quickly allowed me
to see that a new cert appears to have been installed recently on the forums
site, replacing the old one which had been used since October of last year.

It?s a slick tool.  I use it along with other tools that query things like
DANE/DNSSEC properties (BTW: thanks, FreeBSD, for publishing signed TLSA
records!).

You can see more about my Perspectives setup at
https://noc.schulte.org/perspectives.html, which also has a link to the
project?s homepage.  You can pull down the server code and setup your own set of
trusted servers.  I spread mine out across different networks, improving the
chance of detecting malicious activity.
> Regards,
> Paul.
Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4110 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20150513/147bb58c/attachment.bin>