subject:"\[openssl\-users\] SSL Cert serial number non\-uniqueness impact"

Re: [openssl-users] SSL Cert serial number non-uniqueness impact

2018-01-16 Thread Kyle Hamilton

It's important to note that NSS-based applications (such as Firefox)
will actually categorically refuse to connect to a site with an
Issuer/serial collision with another certificate it has seen before.

So yes, it can cause some applications to fail their SSL connections.

-Kyle H

On Tue, Jan 16, 2018 at 1:26 AM, Wouter Verhelst
 wrote:
> On 14/01/2018 12:07, pratyush parimal wrote:
>> Hi everyone,
>>
>> I read  from several sources that the serial number of a cert MUST be
>> unique within a CA. But could someone explain what would happen if the
>> serial number was not unique?
>
> The certificate itself will continue to work (the signature will be
> valid), but requesting status on the certificate (e.g., through OCSP or
> by doing a lookup in a CRL) will not work as expected as those use the
> serial number as an identifier.
>
>> Would it cause SSL connections to fail in some manner?
> No, but if the peer wants to request information on the used certificate
> from the CA to verify whether the certificate is still valid, it may end
> up receiving information about the wrong certificate.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL Cert serial number non-uniqueness impact

2018-01-16 Thread Wouter Verhelst

On 14/01/2018 12:07, pratyush parimal wrote:
> Hi everyone,
>
> I read  from several sources that the serial number of a cert MUST be
> unique within a CA. But could someone explain what would happen if the
> serial number was not unique?

The certificate itself will continue to work (the signature will be
valid), but requesting status on the certificate (e.g., through OCSP or
by doing a lookup in a CRL) will not work as expected as those use the
serial number as an identifier.

> Would it cause SSL connections to fail in some manner?
No, but if the peer wants to request information on the used certificate
from the CA to verify whether the certificate is still valid, it may end
up receiving information about the wrong certificate.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL Cert serial number non-uniqueness impact

2018-01-14 Thread Salz, Rich via openssl-users

The combination of (issuer,serial#) is the only way to get a unique identifier 
for a certificate.  Lots of software depends on certs being uniquely 
identifiable.  What happens if that assertion is not true?  Some things will 
break.  What?  Well, it depends on the software, and which certs are 
“duplicates” and so on.  There’s no way to know, really.  Just don’t do it.

For example, if cert-A has a keypair and cert-B has a keypair, then site-B 
could send a TLS chain with cert-A and while it would look correct, the 
connection would fail.  This is silly if B is doing it, but it is a DoS attack 
if a man in the middle does it.
 

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL Cert serial number non-uniqueness impact

2018-01-14 Thread Jochen Bern

On 01/14/2018 12:07 PM, pratyush parimal wrote:
> I read  from several sources that the serial number of a cert MUST be
> unique within a CA. But could someone explain what would happen if the
> serial number was not unique?

Certificate Revocation Lists (CRLs) identify invalid certificates by
means of a) the CA keypair that issued it (the pubkey being represented
in the signature) and b) the serial number, *not* pubkey / DN / ..., of
the invalid cert. If that's not unique, revoking one of the affected
certs will have the effect of revoking them all.

Regards,
-- 
Jochen Bern
Systemingenieur

www.binect.de

smime.p7s
Description: S/MIME Cryptographic Signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] SSL Cert serial number non-uniqueness impact

2018-01-14 Thread pratyush parimal

Hi everyone,

I read  from several sources that the serial number of a cert MUST be
unique within a CA. But could someone explain what would happen if the
serial number was not unique?

Would it cause SSL connections to fail in some manner? I think I'm a little
unclear about the "purpose" of the serial number in the first place. Is it
just something the CA uses to keep track of what/how many certificates it
has issued, or does it play a part in the SSL connection itself?

Thanks in advance!
Pratyush
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL Cert serial number non-uniqueness impact

Re: [openssl-users] SSL Cert serial number non-uniqueness impact

Re: [openssl-users] SSL Cert serial number non-uniqueness impact

Re: [openssl-users] SSL Cert serial number non-uniqueness impact

[openssl-users] SSL Cert serial number non-uniqueness impact

5 matches

Site Navigation

Mail list logo

Footer information