[179968] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: ARO Security

daemon@ATHENA.MIT.EDU (Randy Bush)
Mon May 18 16:42:47 2015

X-Original-To: nanog@nanog.org
Date: Mon, 18 May 2015 10:40:45 -1000
From: Randy Bush <randy@psg.com>
To: Eric Oosting <eric.oosting@gmail.com>
In-Reply-To: <CAHd7N8Ptq4=yp1L_MHFM3WSh5eejfi=tPizX5NP572QKceNfuQ@mail.gmail.com>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

i too get the amsl cert in response to an opelssl cert query with a
bog standard starfield class 2 chain

    % openssl s_client -connect secretariat.nanog.org:443
    CONNECTED(00000003)
    depth=0 /OU=Domain Control Validated/CN=*.amsl.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 /OU=Domain Control Validated/CN=*.amsl.com
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 /OU=Domain Control Validated/CN=*.amsl.com
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---
    Certificate chain
     0 s:/OU=Domain Control Validated/CN=*.amsl.com
       i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2
     1 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certificates.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/serialNumber=10688435
       i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
     2 s:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
       i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIGRDCCBSygAwIBAgIJAInJ3xG7x0IgMA0GCSqGSIb3DQEBCwUAMIHGMQswCQYD

with chrome, https://secretariat.nanog.org gets me a redirect to
the insecure http://www.nanog.org/ (note lack of 's') via the
tls-failing cert, see above

> let's take the conversation off of nanog to spare the list.

one of the purposes of this list is for us to learn from eachother.  in
this case, techniques for diagnosing tls & cert issues are worth
sharing.  [ sadly, folk with bugs love to redirect discussion off public
media ]

randy
home help back first fref pref prev next nref lref last post