On Tuesday, 17 November 2015 08:04:41 UTC, Peter Bowen wrote: > Inspired by Rob Stradling's work > (https://cabforum.org/pipermail/public/2015-November/006269.html), I > wrote a quick tool to check that commonNames and Subject Alternative > Names in server auth certificates issued by public CAs were following > the CA/Browser Forum baseline requirements. > > The resulting report of anomalies is available at > https://docs.google.com/spreadsheets/d/1lJt-1tkgKcbw5woEr4-tcpqB-M-HKwjFNSdX2jla2EU/edit?usp=sharing > > The rules are a rather strict interpretation of RFC 5280 and the > Baseline Requirements. Notably, it will complain if FQDNs are not > converted to ASCII (as defined in 7.2 and 7.3 of RFC 5280) and will > complain if there is an IP address flaged as a dNSName in a > Generalized Name. > > There are a couple of rules that may create false positives, so please > don't assume every certificate on the sheet is problematic. > > Thanks, > Peter
I've found one of the certificates here (*.gov.bn, Symantec issued) seems to contain some NULL characters in the SAN. https://crt.sh/?serial=331C896050CE23EFAB5CF53237AF093F and https://crt.sh/?id=7335256 Wasn't there an issue with spoofing using NULs in certificates several years ago? Verisign back then claimed this couldn't be done, but the cert is recent. http://www.symantec.com/connect/blogs/busy-day-black-hat _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy