Hi all, We´ve checked logs and still don´t have a final conclussion but some clues about it.
There were 2 attempts to request a cert for crossbear.org, the first one was 10 minutes before and was rejected because of timeout but the second, the one issued, permitted the issuance. # 1st request for crossbear.org at 11:36 11:36:57,399 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (http--0.0.0.0-8443-2) 2017-09-09 11:36:57+08:00;CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=ejbca ws,C=CN;-366638826;;crossbear.org;subjectdn=CN=crossbear.org,C=DE;requestX50 0name=C=DE,O=TUM,CN=crossbear.org;subjectaltname=DNSNAME=crossbear.org;reque staltn ame=;certprofile=2102604971;keyusage=-1;notbefore=;notafter=;sequence=;publi ckey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm9PKsCgR0gsedHsp4UgQLzMc9uf jZvOg5 MkyB8H7DDjuSY3lxcjTMqWHzwMJyJT6q/seCehfXaZ069CQt1vakgvyFhNZT4DhL52FPN3L+EqFI erT9dUH60aL/bssDZ+L1vJ0R1+1vbM/8ZELPl1zrqhaZInMWvp3odxlhT/MXNR1NFZ4GMctWYyxq Xg1N94 eQ1HoG18ssVEZx21La6f+DXldxhUHhJUW6H1v+lSpXA32MMytJ9EfIhl5pGFkIz/hx4T9CNSgxId /qEE2Z5rbl9+vmkjmk5ZqEGOwUlgxxjTVtjp5qJ4TJrtRxu2spKtovvY+b2z4bHT7EjYbBXx00QI DAQAB 11:37:07,416 ERROR [org.jboss.as.ejb3.tx.CMTTxInterceptor] (http--0.0.0.0-8443-2) javax.ejb.EJBTransactionRolledbackException: java.net.SocketTimeoutException more exception stack Caused by: java.lang.IllegalStateException: java.net.SocketTimeoutException at org.ejbca.util.validation.caa.CaaDnsLookup.lookup(CaaDnsLookup.java:534) [caa.jar:] at org.ejbca.util.validation.caa.CaaDnsLookup.lookupDomain(CaaDnsLookup.java:25 7) [caa.jar:] at org.ejbca.util.validation.caa.CaaDnsLookup.performLookupForDomains(CaaDnsLoo kup.java:199) [caa.jar:] at org.ejbca.core.model.validation.CaaValidator.validate(CaaValidator.java:108) [caa.jar:EJBCA 6.9.0.4 Enterprise (r26507)] more exception stack # 2nd request for crossbear.org at 11:44 11:44:06,011 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (http--0.0.0.0-8443-2) 2017-09-09 11:44:06+08:00;CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=ejbca ws,C=CN;-366638826;;crossbear.org;subjectdn=CN=crossbear.org,C=DE;requestX50 0name=C=DE,O=TUM,CN=crossbear.org;subjectaltname=DNSNAME=crossbear.org;reque staltn ame=;certprofile=2102604971;keyusage=-1;notbefore=;notafter=;sequence=;publi ckey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm9PKsCgR0gsedHsp4UgQLzMc9uf jZvOg5 MkyB8H7DDjuSY3lxcjTMqWHzwMJyJT6q/seCehfXaZ069CQt1vakgvyFhNZT4DhL52FPN3L+EqFI erT9dUH60aL/bssDZ+L1vJ0R1+1vbM/8ZELPl1zrqhaZInMWvp3odxlhT/MXNR1NFZ4GMctWYyxq Xg1N94 eQ1HoG18ssVEZx21La6f+DXldxhUHhJUW6H1v+lSpXA32MMytJ9EfIhl5pGFkIz/hx4T9CNSgxId /qEE2Z5rbl9+vmkjmk5ZqEGOwUlgxxjTVtjp5qJ4TJrtRxu2spKtovvY+b2z4bHT7EjYbBXx00QI DAQAB 11:44:06,023 INFO [org.cesecore.keys.validation.KeyValidatorSessionBean] (http--0.0.0.0-8443-2) CAA Validator 'CAAValidator' has permitted issuance of certificates to issuer startcomca.com. We have opened a ticket with Primekey to check with them what could be the issue. Don´t know if between requests there was any change, maybe Quirin can help. We´ve also received another 2 request for crossbear.net which were denied because had a CAA record not listing startcom # 1st request for crossbear.net at 14:40 14:40:12,068 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (http--0.0.0.0-8443-1) 2017-09-09 14:40:12+08:00;CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=ejbca ws,C=CN;-366638826;;crossbear.net;subjectdn=CN=crossbear.net,C=DE;requestX50 0name=C=DE,O=TUM,CN=crossbear.org;subjectaltname=DNSNAME=crossbear.net;reque staltn ame=;certprofile=2102604971;keyusage=-1;notbefore=;notafter=;sequence=;publi ckey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm9PKsCgR0gsedHsp4UgQLzMc9uf jZvOg5 MkyB8H7DDjuSY3lxcjTMqWHzwMJyJT6q/seCehfXaZ069CQt1vakgvyFhNZT4DhL52FPN3L+EqFI erT9dUH60aL/bssDZ+L1vJ0R1+1vbM/8ZELPl1zrqhaZInMWvp3odxlhT/MXNR1NFZ4GMctWYyxq Xg1N94 eQ1HoG18ssVEZx21La6f+DXldxhUHhJUW6H1v+lSpXA32MMytJ9EfIhl5pGFkIz/hx4T9CNSgxId /qEE2Z5rbl9+vmkjmk5ZqEGOwUlgxxjTVtjp5qJ4TJrtRxu2spKtovvY+b2z4bHT7EjYbBXx00QI DAQAB 14:40:12,447 INFO [org.ejbca.util.validation.caa.CaaDnsLookup] (http--0.0.0.0-8443-1) Found CAA Record for domain crossbear.net.: crossbear.net. 300 IN CAA 0 issue ";" 14:40:12,447 INFO [org.ejbca.util.validation.caa.CaaDnsLookup] (http--0.0.0.0-8443-1) Found CAA Record for domain crossbear.net.: crossbear.net. 300 IN CAA 0 iodef "mailto:c...@crossbear.net" 14:40:12,448 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (http--0.0.0.0-8443-1) 2017-09-09 14:40:12+08:00;VALIDATOR_VALIDATION_FAILED;FAILURE;VALIDATOR; CORE;CN=ejbcaws,C=CN;-366638826;;crossbear.net;msg=CAA Validator 'CAAValidator' failed issuance of certificates to issuer startcomca.com. # 2nd request for crossbear.net at 14:41 14:41:00,891 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (http--0.0.0.0-8443-1) 2017-09-09 14:41:00+08:00;CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=ejbca ws,C=CN;-366638826;;crossbear.net;subjectdn=CN=crossbear.net,C=DE;requestX50 0name=C=DE,O=TUM,CN=crossbear.org;subjectaltname=DNSNAME=crossbear.net;reque staltn ame=;certprofile=2102604971;keyusage=-1;notbefore=;notafter=;sequence=;publi ckey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm9PKsCgR0gsedHsp4UgQLzMc9uf jZvOg5 MkyB8H7DDjuSY3lxcjTMqWHzwMJyJT6q/seCehfXaZ069CQt1vakgvyFhNZT4DhL52FPN3L+EqFI erT9dUH60aL/bssDZ+L1vJ0R1+1vbM/8ZELPl1zrqhaZInMWvp3odxlhT/MXNR1NFZ4GMctWYyxq Xg1N94 eQ1HoG18ssVEZx21La6f+DXldxhUHhJUW6H1v+lSpXA32MMytJ9EfIhl5pGFkIz/hx4T9CNSgxId /qEE2Z5rbl9+vmkjmk5ZqEGOwUlgxxjTVtjp5qJ4TJrtRxu2spKtovvY+b2z4bHT7EjYbBXx00QI DAQAB 14:41:00,905 INFO [org.ejbca.util.validation.caa.CaaDnsLookup] (http--0.0.0.0-8443-1) Found CAA Record for domain crossbear.net.: crossbear.net. 252 IN CAA 0 issue ";" 14:41:00,905 INFO [org.ejbca.util.validation.caa.CaaDnsLookup] (http--0.0.0.0-8443-1) Found CAA Record for domain crossbear.net.: crossbear.net. 252 IN CAA 0 iodef "mailto:c...@crossbear.net" 14:41:00,906 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (http--0.0.0.0-8443-1) 2017-09-09 14:41:00+08:00;VALIDATOR_VALIDATION_FAILED;FAILURE;VALIDATOR; CORE;CN=ejbcaws,C=CN;-366638826;;crossbear.net;msg=CAA Validator 'CAAValidator' failed issuance of certificates to issuer startcomca.com. We´ll keep investigating this. Best regards Iñigo Barreira CEO StartCom CA Limited -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+inigo=startcomca....@lists.mozilla.org] On Behalf Of Inigo Barreira via dev-security-policy Sent: martes, 12 de septiembre de 2017 12:44 To: Nick Lamb <tialara...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone Ok, let me investigate this further, maybe I didn´t catch it rightly. For the record, the certificate was revoked Best regards Iñigo Barreira CEO StartCom CA Limited -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+inigo=startcomca....@lists.mozilla.org] On Behalf Of Nick Lamb via dev-security-policy Sent: martes, 12 de septiembre de 2017 12:26 To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone On Tuesday, 12 September 2017 10:38:56 UTC+1, Inigo Barreira wrote: > Futhermore, according to the logs, at the time of checking for a CAA record, there was none. The lookup was succesful and hence allowed the issuance. Given that this contradicts the facts alleged in Quirin's tests and the feedback from BuyPass I would strongly recommend doing further testing to ensure that StartCom's systems detect [and log] timeouts and other failures properly for CAA records. I'm sure Quirin will try to offer reasonable assistance in reproducing the problem. It is definitely worth noting that with DNSSEC _enabled_ a CA ends up having cryptographic proof of their results - which could be recorded in case of any dispute. If you had such proof for the permissive CAA record we wouldn't need to investigate StartCom's systems or policies, we could examine the record and conclude that Querin made an error somewhere and permitted this issuance without knowing anything about StarCom or needing to take you at your word. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy