apache not serving CT information to chrome
455 views
Skip to first unread message
Dil Lee
May 3, 2018, 5:27:12 AM5/3/18
to certificate-transparency
Hello,
I have a recently been issued ssl cert from godaddy.
-running:
openssl-1.0.2
httpd-2.4.6
-It had been added to CT logs by godaddy.
https://crt.sh/?id=395704043
-SCT had been embeded into the crt by godaddy
(check via https://decoder.link/)
-chrome still shows no CT information of my site.
relevant netlog snippet from chrome 66:
t=7738858 [st= 54] SIGNED_CERTIFICATE_TIMESTAMPS_RECEIVED
--> embedded_scts = ""
--> scts_from_ocsp_response = ""
--> scts_from_tls_extension = ""
t=7738858 [st= 54] SIGNED_CERTIFICATE_TIMESTAMPS_CHECKED
--> scts = []
.......
--> ct_compliance_status = "NOT_ENOUGH_SCTS"
AFAIK using embeded SCT requires no server reconfiguration(apart from install the new crt),
but somehow i still got negative result?
Any pointer will be highly appreciated. Thank you.
Dil Lee
I have a recently been issued ssl cert from godaddy.
-running:
openssl-1.0.2
httpd-2.4.6
-It had been added to CT logs by godaddy.
https://crt.sh/?id=395704043
-SCT had been embeded into the crt by godaddy
(check via https://decoder.link/)
-chrome still shows no CT information of my site.
relevant netlog snippet from chrome 66:
t=7738858 [st= 54] SIGNED_CERTIFICATE_TIMESTAMPS_RECEIVED
--> embedded_scts = ""
--> scts_from_ocsp_response = ""
--> scts_from_tls_extension = ""
t=7738858 [st= 54] SIGNED_CERTIFICATE_TIMESTAMPS_CHECKED
--> scts = []
.......
--> ct_compliance_status = "NOT_ENOUGH_SCTS"
AFAIK using embeded SCT requires no server reconfiguration(apart from install the new crt),
but somehow i still got negative result?
Any pointer will be highly appreciated. Thank you.
Dil Lee
Ben Laurie
May 3, 2018, 5:35:51 AM5/3/18
to certificate-...@googlegroups.com
You are correct that no server support is required for embedded SCTs, so I guess you've messed up your configuration somehow...
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/8bb8a7ef-7865-4edf-86ed-159186df6aab%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Rob Percival
May 3, 2018, 7:47:37 AM5/3/18
to certificate-...@googlegroups.com
There appear to be a number of problems with the linked certificate (https://crt.sh/?id=395704043):
- It doesn't contain any SCTs (and it isn't a pre-cert).
- It has only been logged to 2 Google CT logs (Chrome's CT policy requires at least 1 SCT from a non-Google log).
Based on that, it does not appear that GoDaddy embedded any SCTs into your certificate. You could provide them to the browser using the TLS extension, but you'll need to log the certificate to some other CT logs first. It'd probably be easier to get the certificate re-issued with embedded SCTs though.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/CABrd9STe%2B8jw8R-ZhnHTLnSuNuPSoneB05qL9a6ua1xuE1aZcQ%40mail.gmail.com.
David Drysdale
May 3, 2018, 7:48:13 AM5/3/18
to certificate-...@googlegroups.com
Hi,
That certificate (https://crt.sh/?id=395704043) does not have an embedded SCT -- the "X509v3 extensions:" section does not include "CT Precertificate SCTs:" information. (For comparison, https://crt.sh/?id=371198457 is a certificate that does have embedded SCTs).
So the certificate has been logged (specifically with Google Pilot and Rocketeer CT logs), but only after it was created. To have an embedded SCT, the certificate authority (GoDaddy) would needs to log the certificate as it is being created.
Hope that helps,
David
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsubscr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/8bb8a7ef-7865-4edf-86ed-159186df6aab%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/CABrd9STe%2B8jw8R-ZhnHTLnSuNuPSoneB05qL9a6ua1xuE1aZcQ%40mail.gmail.com.To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsubscr...@googlegroups.com.
Dil Lee
May 3, 2018, 11:14:24 PM5/3/18
to certificate-transparency
Thanks Rob and David for clearing things up.
I am surprised that godaddy are not logging new certs to CT logs properly, given the CT requirement deadline of chrome occurs in May/2018.
Guess I need to buy cert from other CA then.
Dil Lee
I am surprised that godaddy are not logging new certs to CT logs properly, given the CT requirement deadline of chrome occurs in May/2018.
Guess I need to buy cert from other CA then.
Dil Lee
Peter Bowen
May 3, 2018, 11:20:23 PM5/3/18
to certificate-...@googlegroups.com
The requirement for Chrome only applies to certificates issued on or
after April 30, 2018. That certificate was issued in March 2018, so CT
is not required.
after April 30, 2018. That certificate was issued in March 2018, so CT
is not required.
> --
> You received this message because you are subscribed to the Google Groups
> "certificate-transparency" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to certificate-transp...@googlegroups.com.
> You received this message because you are subscribed to the Google Groups
> "certificate-transparency" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/certificate-transparency/e22f9c76-c7db-4b1c-8e65-e0073f3fd89b%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages