Re: Certificates with invalid "double dot" dnsNames issued from Comodo intermediates

Tue, 18 Jul 2017 07:32:30 -0700 

On 18/07/2017 16:19, Rob Stradling wrote:

On 17/07/17 16:14, Jonathan Rudenberg via dev-security-policy wrote:
This certificate, issued by “Intesa Sanpaolo CA Servizi Esterni Enhanced” which chains up to a Baltimore CyberTrust root, contains an invalid dnsName of “www.intesasanpaolovita..biz” (note the two dots): 


https://crt.sh/?q=2B95B474A2646CA28DC244F1AE829C850EA41CF64C75E11A94FE8D228735977B&opt=cablint,x509lint 




This raises some questions about the technical controls in place for 
issuance from this CA.



Yesterday evening Jonathan privately made me aware of a leaf certificate 
(https://crt.sh/?id=73190674) with two SAN:dNSNames that contain 
consecutive dots, which was issued by a Comodo intermediate.  He found 
this cert using the crt.sh DB's lint records.



This morning Robin and I have investigated this bug in our code and 
we've taken the following actions:
   - We've deployed a hotfix to our CA system to prevent any further 
"double dot" mis-issuances.



   - We've confirmed that the bug only affected labels to the left of 
the registrable domain.  (e.g., dNSNames of the form www..domain.com 
were not always rejected, but those of the form www.domain..com were 
always rejected).



This doesn't match the one reported by Ben Wilson, which also exhibits 
various Microsoft related oddities:


https://crt.sh/?id=172218371&opt=cablint,x509lint


   - We've performed an exhaustive search of our certificate database 
and found 2 further unexpired leaf certificates that exhibit this 
"double dot" problem.  I've submitted both of them to some CT logs:

https://crt.sh/?id=174668364
https://crt.sh/?id=174668366

We will revoke all 3 of these leaf certificates ASAP.




Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy






















					Reply via email to