On 03/30/2017 09:04 AM, Sean Leonard wrote: > IN PARTICULAR: both Apache and Ngnix may be subject to a private key > substitution attack with naive passing of the ACME response to the web > server! See: > http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate > http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatefile > > The SSL Certificate option includes the option of including the > private key in the same input: “A secret key in the PEM format may be > placed in the same file.” > > What this means is that a malicious ACME server can serve a > certificate per the client’s request, but substitute the server’s > specified private key with the ACME server’s own choice of private key > by including -----BEGIN RSA PRIVATE KEY----- in the response. Then > when put into production, the ACME server operator will be able to > decrypt all of the traffic. WHOOPS. (Obviously the ACME server can > impersonate the web/TLS server, since it’s a CA component, but this is > not what you want.) This is a good point, and makes me more inclined towards the "concatenated DER" approach you suggested, if it looks like it would be straightforward for clients to implement. Specifically because any client transforming the DER into PEM would be responsible for adding the "-----BEGIN CERTIFICATE-----" delimiters, and would be very unlikely to output private key delimiters instead.
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
