> On 30 Jun 2016, at 23:10, Andrew Ayer <a...@andrewayer.name> wrote: > > On Thu, 30 Jun 2016 22:36:19 +0200 > Christiaan Ottow <cot...@computest.nl> wrote: > >> We acquired certificates for a private domain (and some subdomains) >> of the tester in question, and one for our domain pine.nl. Details of >> the latter are attached, with the modulus and signature left out. The >> SHA256 fingerprint of the certificate is: >> A7:E5:BD:6E:81:8F:A8:CE:FD:73:97:32:70:06:89:59:98:86:33:5A:06:7E:FD:ED:EA:B6:19:B3:3F:67:F6:A1 > > Thanks. There's no SCT extension, despite StartCom claiming to embed > SCTs in all certificates they issue. Also, the cert was issued over a > week ago, so even if StartCom was logging post-issuance the cert should > have been logged by now. > > I would like to hear StartCom explain this as well. > > Regards, > Andrew
If you plan on checking CT logs, make sure to check WoSign-signed certs as well. The "caID" parameter in the POST request to the StartEncrypt API allows you to select which CA will sign you certificate. The default, "2", makes that your request is signed by "StartCom Class 1 DV Server CA", "1" selects "WoSign CA Free SSL Certificate G2" and "0" selects "CA 沃通根证书". Perhaps the certificates are being logged into a different CT audit server because of this feature. We selected "1" for a test certificate last week, and the certificate we obtained was dated 20 December 2015, and signed using a SHA-1 checksum. I've attached the certificate (excluding modulus and signature). The checksum (SHA256) of the full cert is D1:2F:AB:12:E2:40:70:40:B4:2B:FF:46:FF:9B:A8:BB:8C:1F:63:E4:7F:ED:F2:D3:70:D2:12:3B:54:28:D1:4B Kind regards, Christiaan Ottow CTO Security Computest • Pine Digital Security M: +31 (0) 6 51997213 • T: +31 (0) 88 7331337 E: cot...@computest.nl • I: www.computest.nl A: Signaalrood 25 • 2718 SH Zoetermeer P: https://www.pine.nl/4eo3UYWmU.asc Pine Digital Security is part of Computest
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
65:65:e1:71:0a:48:fb:be:1e:2b:61:83:5c:78:9c:39
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, O=WoSign CA Limited, CN=WoSign CA Free SSL Certificate G2
Validity
Not Before: Dec 20 01:27:28 2015 GMT
Not After : Dec 29 16:00:00 2016 GMT
Subject: CN=startssl9.s.xnyhps.nl
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
E8:A7:BF:9B:15:3A:16:73:8B:AC:9C:D7:23:6F:AF:F3:CD:24:BC:C2
X509v3 Authority Key Identifier:
keyid:D2:A7:16:20:7C:AF:D9:95:9E:EB:43:0A:19:F2:E0:B9:74:0E:A8:C7
Authority Information Access:
OCSP - URI:http://ocsp1.wosign.com/ca6/server1/free
CA Issuers - URI:http://aia1.wosign.com/ca6.server1.free.cer
X509v3 CRL Distribution Points:
URI:http://crls1.wosign.com/ca6-server1-free.crl
X509v3 Subject Alternative Name:
DNS:startssl9.s.xnyhps.nl
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.36305.1.1.2
CPS: http://www.wosign.com/policy/
Signature Algorithm: sha1WithRSAEncryption
...
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
