RE: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone

Tue, 12 Sep 2017 06:38:41 -0700 

Hi all,

We´ve checked logs and still don´t have a final conclussion but some clues
about it.

There were 2 attempts to request a cert for crossbear.org, the first one was
10 minutes before and was rejected because of timeout but the second, the
one issued, permitted the issuance.

# 1st request for crossbear.org at 11:36 
11:36:57,399 INFO [org.cesecore.audit.impl.log4j.Log4jDevice]
(http--0.0.0.0-8443-2) 2017-09-09
11:36:57+08:00;CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=ejbca 
ws,C=CN;-366638826;;crossbear.org;subjectdn=CN=crossbear.org,C=DE;requestX50
0name=C=DE,O=TUM,CN=crossbear.org;subjectaltname=DNSNAME=crossbear.org;reque
staltn 
ame=;certprofile=2102604971;keyusage=-1;notbefore=;notafter=;sequence=;publi
ckey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm9PKsCgR0gsedHsp4UgQLzMc9uf
jZvOg5 
MkyB8H7DDjuSY3lxcjTMqWHzwMJyJT6q/seCehfXaZ069CQt1vakgvyFhNZT4DhL52FPN3L+EqFI
erT9dUH60aL/bssDZ+L1vJ0R1+1vbM/8ZELPl1zrqhaZInMWvp3odxlhT/MXNR1NFZ4GMctWYyxq
Xg1N94 
eQ1HoG18ssVEZx21La6f+DXldxhUHhJUW6H1v+lSpXA32MMytJ9EfIhl5pGFkIz/hx4T9CNSgxId
/qEE2Z5rbl9+vmkjmk5ZqEGOwUlgxxjTVtjp5qJ4TJrtRxu2spKtovvY+b2z4bHT7EjYbBXx00QI
DAQAB 
11:37:07,416 ERROR [org.jboss.as.ejb3.tx.CMTTxInterceptor]
(http--0.0.0.0-8443-2) javax.ejb.EJBTransactionRolledbackException:
java.net.SocketTimeoutException 
… more exception stack 
Caused by: java.lang.IllegalStateException: java.net.SocketTimeoutException 
        at
org.ejbca.util.validation.caa.CaaDnsLookup.lookup(CaaDnsLookup.java:534)
[caa.jar:] 
        at
org.ejbca.util.validation.caa.CaaDnsLookup.lookupDomain(CaaDnsLookup.java:25
7) [caa.jar:] 
        at
org.ejbca.util.validation.caa.CaaDnsLookup.performLookupForDomains(CaaDnsLoo
kup.java:199) [caa.jar:] 
        at
org.ejbca.core.model.validation.CaaValidator.validate(CaaValidator.java:108)
[caa.jar:EJBCA 6.9.0.4 Enterprise (r26507)] 
… more exception stack 
  
# 2nd request for crossbear.org at 11:44 
11:44:06,011 INFO [org.cesecore.audit.impl.log4j.Log4jDevice]
(http--0.0.0.0-8443-2) 2017-09-09
11:44:06+08:00;CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=ejbca 
ws,C=CN;-366638826;;crossbear.org;subjectdn=CN=crossbear.org,C=DE;requestX50
0name=C=DE,O=TUM,CN=crossbear.org;subjectaltname=DNSNAME=crossbear.org;reque
staltn 
ame=;certprofile=2102604971;keyusage=-1;notbefore=;notafter=;sequence=;publi
ckey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm9PKsCgR0gsedHsp4UgQLzMc9uf
jZvOg5 
MkyB8H7DDjuSY3lxcjTMqWHzwMJyJT6q/seCehfXaZ069CQt1vakgvyFhNZT4DhL52FPN3L+EqFI
erT9dUH60aL/bssDZ+L1vJ0R1+1vbM/8ZELPl1zrqhaZInMWvp3odxlhT/MXNR1NFZ4GMctWYyxq
Xg1N94 
eQ1HoG18ssVEZx21La6f+DXldxhUHhJUW6H1v+lSpXA32MMytJ9EfIhl5pGFkIz/hx4T9CNSgxId
/qEE2Z5rbl9+vmkjmk5ZqEGOwUlgxxjTVtjp5qJ4TJrtRxu2spKtovvY+b2z4bHT7EjYbBXx00QI
DAQAB 
11:44:06,023 INFO [org.cesecore.keys.validation.KeyValidatorSessionBean]
(http--0.0.0.0-8443-2) CAA Validator 'CAAValidator' has permitted issuance
of certificates to issuer startcomca.com.

We have opened a ticket with Primekey to check with them what could be the
issue. Don´t know if between requests there was any change, maybe Quirin can
help.

We´ve also received another 2 request for crossbear.net which were denied
because had a CAA record not listing startcom

# 1st request for crossbear.net at 14:40 
14:40:12,068 INFO [org.cesecore.audit.impl.log4j.Log4jDevice]
(http--0.0.0.0-8443-1) 2017-09-09
14:40:12+08:00;CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=ejbca 
ws,C=CN;-366638826;;crossbear.net;subjectdn=CN=crossbear.net,C=DE;requestX50
0name=C=DE,O=TUM,CN=crossbear.org;subjectaltname=DNSNAME=crossbear.net;reque
staltn 
ame=;certprofile=2102604971;keyusage=-1;notbefore=;notafter=;sequence=;publi
ckey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm9PKsCgR0gsedHsp4UgQLzMc9uf
jZvOg5 
MkyB8H7DDjuSY3lxcjTMqWHzwMJyJT6q/seCehfXaZ069CQt1vakgvyFhNZT4DhL52FPN3L+EqFI
erT9dUH60aL/bssDZ+L1vJ0R1+1vbM/8ZELPl1zrqhaZInMWvp3odxlhT/MXNR1NFZ4GMctWYyxq
Xg1N94 
eQ1HoG18ssVEZx21La6f+DXldxhUHhJUW6H1v+lSpXA32MMytJ9EfIhl5pGFkIz/hx4T9CNSgxId
/qEE2Z5rbl9+vmkjmk5ZqEGOwUlgxxjTVtjp5qJ4TJrtRxu2spKtovvY+b2z4bHT7EjYbBXx00QI
DAQAB 
14:40:12,447 INFO [org.ejbca.util.validation.caa.CaaDnsLookup]
(http--0.0.0.0-8443-1) Found CAA Record for domain crossbear.net.:
crossbear.net. 
  300 IN CAA 0 issue ";" 
14:40:12,447 INFO [org.ejbca.util.validation.caa.CaaDnsLookup]
(http--0.0.0.0-8443-1) Found CAA Record for domain crossbear.net.:
crossbear.net. 
  300 IN CAA 0 iodef "mailto:c...@crossbear.net"; 
14:40:12,448 INFO [org.cesecore.audit.impl.log4j.Log4jDevice]
(http--0.0.0.0-8443-1) 2017-09-09
14:40:12+08:00;VALIDATOR_VALIDATION_FAILED;FAILURE;VALIDATOR; 
CORE;CN=ejbcaws,C=CN;-366638826;;crossbear.net;msg=CAA Validator
'CAAValidator' failed issuance of certificates to issuer startcomca.com.

# 2nd request for crossbear.net at 14:41 
14:41:00,891 INFO [org.cesecore.audit.impl.log4j.Log4jDevice]
(http--0.0.0.0-8443-1) 2017-09-09
14:41:00+08:00;CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=ejbca 
ws,C=CN;-366638826;;crossbear.net;subjectdn=CN=crossbear.net,C=DE;requestX50
0name=C=DE,O=TUM,CN=crossbear.org;subjectaltname=DNSNAME=crossbear.net;reque
staltn 
ame=;certprofile=2102604971;keyusage=-1;notbefore=;notafter=;sequence=;publi
ckey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm9PKsCgR0gsedHsp4UgQLzMc9uf
jZvOg5 
MkyB8H7DDjuSY3lxcjTMqWHzwMJyJT6q/seCehfXaZ069CQt1vakgvyFhNZT4DhL52FPN3L+EqFI
erT9dUH60aL/bssDZ+L1vJ0R1+1vbM/8ZELPl1zrqhaZInMWvp3odxlhT/MXNR1NFZ4GMctWYyxq
Xg1N94 
eQ1HoG18ssVEZx21La6f+DXldxhUHhJUW6H1v+lSpXA32MMytJ9EfIhl5pGFkIz/hx4T9CNSgxId
/qEE2Z5rbl9+vmkjmk5ZqEGOwUlgxxjTVtjp5qJ4TJrtRxu2spKtovvY+b2z4bHT7EjYbBXx00QI
DAQAB 
14:41:00,905 INFO [org.ejbca.util.validation.caa.CaaDnsLookup]
(http--0.0.0.0-8443-1) Found CAA Record for domain crossbear.net.:
crossbear.net. 
  252 IN CAA 0 issue ";" 
14:41:00,905 INFO [org.ejbca.util.validation.caa.CaaDnsLookup]
(http--0.0.0.0-8443-1) Found CAA Record for domain crossbear.net.:
crossbear.net. 
  252 IN CAA 0 iodef "mailto:c...@crossbear.net"; 
14:41:00,906 INFO [org.cesecore.audit.impl.log4j.Log4jDevice]
(http--0.0.0.0-8443-1) 2017-09-09
14:41:00+08:00;VALIDATOR_VALIDATION_FAILED;FAILURE;VALIDATOR; 
CORE;CN=ejbcaws,C=CN;-366638826;;crossbear.net;msg=CAA Validator
'CAAValidator' failed issuance of certificates to issuer startcomca.com.

We´ll keep investigating this.

Best regards

Iñigo Barreira
CEO
StartCom CA Limited


-----Original Message-----
From: dev-security-policy
[mailto:dev-security-policy-bounces+inigo=startcomca....@lists.mozilla.org]
On Behalf Of Inigo Barreira via dev-security-policy
Sent: martes, 12 de septiembre de 2017 12:44
To: Nick Lamb <tialara...@gmail.com>;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone

Ok, let me investigate this further, maybe I didn´t catch it rightly.
For the record, the certificate was revoked

Best regards

Iñigo Barreira
CEO
StartCom CA Limited


-----Original Message-----
From: dev-security-policy
[mailto:dev-security-policy-bounces+inigo=startcomca....@lists.mozilla.org]
On Behalf Of Nick Lamb via dev-security-policy
Sent: martes, 12 de septiembre de 2017 12:26
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone

On Tuesday, 12 September 2017 10:38:56 UTC+1, Inigo Barreira  wrote:
> Futhermore, according to the logs, at the time of checking for a CAA
record, there was none. The lookup was succesful and hence allowed the
issuance.

Given that this contradicts the facts alleged in Quirin's tests and the
feedback from BuyPass I would strongly recommend doing further testing to
ensure that StartCom's systems detect [and log] timeouts and other failures
properly for CAA records. I'm sure Quirin will try to offer reasonable
assistance in reproducing the problem.

It is definitely worth noting that with DNSSEC _enabled_ a CA ends up having
cryptographic proof of their results - which could be recorded in case of
any dispute. If you had such proof for the permissive CAA record we wouldn't
need to investigate StartCom's systems or policies, we could examine the
record and conclude that Querin made an error somewhere and permitted this
issuance without knowing anything about StarCom or needing to take you at
your word.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to