info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
OCSP Responder monitoring (was Re: Violations of Baseline Requirements 4.9.10)
315 views
Skip to first unread message
Rob Stradling
Dec 11, 2017, 5:50:34 PM12/11/17
to mozilla-dev-s...@lists.mozilla.org
Inspired by Paul Kehrer's research a few months ago, I've added a
continuous OCSP Monitoring feature to crt.sh:
https://crt.sh/ocsp-responders
This page shows the latest results of 3 OCSP checks (performed hourly)
against each CA / Responder URL that crt.sh has ever encountered:
1. a GET request for an unexpired certificate.
2. a POST request for an unexpired certificate.
3. a POST request for a randomly-generated serial number.
The results can be sorted and filtered in various ways: try editing the
form at the top of the page and then clicking "Update"; or try clicking
a value in any of the "Response" columns.
The "B" (for "Bytes") column lists the size of each HTTP response.
Click on any of these values and you'll see the actual OCSP response
that crt.sh saw; each OCSP response can be viewed as a hex dump, ASN.1
dump, or in the text form used by "openssl ocsp -resp_text".
There are many well behaved Responders, but there's also a wealth of
interesting misbehaviours to explore!
Some example reports:
1. CAs / Responder URLs that are in scope for, but violate, the BR
prohibition on returning a signed a "Good" response for a random serial
number, and are also in scope for Mozilla's consideration:
https://crt.sh/ocsp-responders?trustedExclude=constrained%2Cexpired%2Conecrl&trustedBy=Mozilla&trustedFor=Server+Authentication&randomserial=Good
2. All CAs / Responder URLs, sorted by GET response size (largest first):
https://crt.sh/ocsp-responders?dir=^&sort=6
3. All CAs / Responder URLs, sorted by GET response time (fastest first):
https://crt.sh/ocsp-responders?dir=v&sort=10
(No surprise that Comodo's OCSP Responders are fastest from this
particular network perspective ;-) ).
4. All CAs / Responder URLs where 'comodo' is a substring of the
Responder URL:
https://crt.sh/ocsp-responders?url=%25comodo%25
On 15/11/17 00:19, Paul Kehrer via dev-security-policy wrote:
> Hi Ben,
>
> DN: CN=Cartão de Cidadão 001, OU=ECEstado, O=SCEE - Sistema de Certificação
> Electrónica do Estado, C=PT
>
> Downloading the issuer (https://crt.sh/?id=8949008) and then running:
>
> openssl ocsp -issuer 8949008.crt -serial 101010101010101101010101010
> -no_nonce -url http://ocsp.root.cartaodecidadao.pt/publico/ocsp -noverify
>
> gives this response:
>
> 101010101010101101010101010: good
> This Update: Nov 14 23:59:47 2017 GMT
>
> So this does not appear to be resolved.
>
>
> DN: C=PT, O=SCEE, CN=ECRaizEstado
>
> The SCEE root for the Government of Portugal is now responding with
> unknown/revoked statuses.
>
>
> DN: C=PT, O=MULTICERT - Serviços de Certificação Electrónica S.A.,
> OU=Accredited Certification Authority, CN=MULTICERT Certification Authority
> 002
>
> Download https://crt.sh/?id=8642581 and run:
>
> openssl ocsp -issuer 8642581.crt -serial 101010101010101101010101010
> -no_nonce -url http://ocsp.multicert.com/ocsp -noverify
>
> and
>
> openssl ocsp -issuer 8642581.crt -serial 101010101010101101010101010
> -no_nonce -url http://ocsp.multicert.com/procsp -noverify
>
> and the responses are:
>
> 101010101010101101010101010: good
> This Update: Nov 15 00:03:40 2017 GMT
> Next Update: Nov 15 00:03:40 2017 GMT
>
> 101010101010101101010101010: good
> This Update: Nov 15 00:03:58 2017 GMT
> Next Update: Nov 15 00:03:58 2017 GMT
>
> Not fixed.
>
>
> DN: C=PT, O=MULTICERT - Serviços de Certificação Electrónica S.A.,
> OU=Entidade de Certificação Credenciada, CN=MULTICERT - Entidade de
> Certificação 001
>
> (Issuer: https://crt.sh/?id=128496365)
>
> openssl ocsp -issuer 128496365.crt -serial 1010101010101010101002101010
> -no_nonce -noverify -url http://ocsp.multicert.com/ocsp
>
> 1010101010101010101002101010: good
> This Update: Nov 15 00:15:45 2017 GMT
> Next Update: Nov 15 00:15:45 2017 GMT
>
> Also not fixed.
>
> I believe Kathleen has opened bugzilla issues for these so it would
> probably be good to copy this correspondence there as well.
>
> -Paul
>
> On November 15, 2017 at 6:50:43 AM, Ben Wilson (ben.w...@digicert.com)
> wrote:
>
> Could someone re-check Multicert and SCEE? (See below.) They have
> indicated to us that they have now patched their OCSP responder systems.
>
>
>
> DN: CN=Cartão de Cidadão 001, OU=ECEstado, O=SCEE - Sistema de Certificação
> Electrónica do Estado, C=PT
>
> Example cert: https://crt.sh/?id=12729446
>
> OCSP URI: http://ocsp.root.cartaodecidadao.pt/publico/ocsp
>
>
>
> DN: C=PT, O=MULTICERT - Serviços de Certificação Electrónica S.A.,
> OU=Accredited Certification Authority, CN=MULTICERT Certification Authority
> 002
>
> Example cert: https://crt.sh/?id=117934576
>
> OCSP URI: http://ocsp.multicert.com/ocsp
>
> OCSP URI: http://ocsp.multicert.com/procsp
>
>
>
> DN: C=PT, O=MULTICERT - Serviços de Certificação Electrónica S.A.,
> OU=Entidade de Certificação Credenciada, CN=MULTICERT - Entidade de
> Certificação 001
>
> Example cert: https://crt.sh/?id=11653177
>
> OCSP URI: http://ocsp.multicert.com/ocsp
>
>
>
> DigiCert/Government of Portugal, Sistema de Certificação Electrónica do
> Estado (SCEE) / Electronic Certification System of the State:
>
>
>
> DN: C=PT, O=SCEE, CN=ECRaizEstado
>
> Example cert: https://crt.sh/?id=8322256
>
> OCSP URI: http://ocsp.ecee.gov.pt
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
continuous OCSP Monitoring feature to crt.sh:
https://crt.sh/ocsp-responders
This page shows the latest results of 3 OCSP checks (performed hourly)
against each CA / Responder URL that crt.sh has ever encountered:
1. a GET request for an unexpired certificate.
2. a POST request for an unexpired certificate.
3. a POST request for a randomly-generated serial number.
The results can be sorted and filtered in various ways: try editing the
form at the top of the page and then clicking "Update"; or try clicking
a value in any of the "Response" columns.
The "B" (for "Bytes") column lists the size of each HTTP response.
Click on any of these values and you'll see the actual OCSP response
that crt.sh saw; each OCSP response can be viewed as a hex dump, ASN.1
dump, or in the text form used by "openssl ocsp -resp_text".
There are many well behaved Responders, but there's also a wealth of
interesting misbehaviours to explore!
Some example reports:
1. CAs / Responder URLs that are in scope for, but violate, the BR
prohibition on returning a signed a "Good" response for a random serial
number, and are also in scope for Mozilla's consideration:
https://crt.sh/ocsp-responders?trustedExclude=constrained%2Cexpired%2Conecrl&trustedBy=Mozilla&trustedFor=Server+Authentication&randomserial=Good
2. All CAs / Responder URLs, sorted by GET response size (largest first):
https://crt.sh/ocsp-responders?dir=^&sort=6
3. All CAs / Responder URLs, sorted by GET response time (fastest first):
https://crt.sh/ocsp-responders?dir=v&sort=10
(No surprise that Comodo's OCSP Responders are fastest from this
particular network perspective ;-) ).
4. All CAs / Responder URLs where 'comodo' is a substring of the
Responder URL:
https://crt.sh/ocsp-responders?url=%25comodo%25
On 15/11/17 00:19, Paul Kehrer via dev-security-policy wrote:
> Hi Ben,
>
> DN: CN=Cartão de Cidadão 001, OU=ECEstado, O=SCEE - Sistema de Certificação
> Electrónica do Estado, C=PT
>
> Downloading the issuer (https://crt.sh/?id=8949008) and then running:
>
> openssl ocsp -issuer 8949008.crt -serial 101010101010101101010101010
> -no_nonce -url http://ocsp.root.cartaodecidadao.pt/publico/ocsp -noverify
>
> gives this response:
>
> 101010101010101101010101010: good
> This Update: Nov 14 23:59:47 2017 GMT
>
> So this does not appear to be resolved.
>
>
> DN: C=PT, O=SCEE, CN=ECRaizEstado
>
> The SCEE root for the Government of Portugal is now responding with
> unknown/revoked statuses.
>
>
> DN: C=PT, O=MULTICERT - Serviços de Certificação Electrónica S.A.,
> OU=Accredited Certification Authority, CN=MULTICERT Certification Authority
> 002
>
> Download https://crt.sh/?id=8642581 and run:
>
> openssl ocsp -issuer 8642581.crt -serial 101010101010101101010101010
> -no_nonce -url http://ocsp.multicert.com/ocsp -noverify
>
> and
>
> openssl ocsp -issuer 8642581.crt -serial 101010101010101101010101010
> -no_nonce -url http://ocsp.multicert.com/procsp -noverify
>
> and the responses are:
>
> 101010101010101101010101010: good
> This Update: Nov 15 00:03:40 2017 GMT
> Next Update: Nov 15 00:03:40 2017 GMT
>
> 101010101010101101010101010: good
> This Update: Nov 15 00:03:58 2017 GMT
> Next Update: Nov 15 00:03:58 2017 GMT
>
> Not fixed.
>
>
> DN: C=PT, O=MULTICERT - Serviços de Certificação Electrónica S.A.,
> OU=Entidade de Certificação Credenciada, CN=MULTICERT - Entidade de
> Certificação 001
>
> (Issuer: https://crt.sh/?id=128496365)
>
> openssl ocsp -issuer 128496365.crt -serial 1010101010101010101002101010
> -no_nonce -noverify -url http://ocsp.multicert.com/ocsp
>
> 1010101010101010101002101010: good
> This Update: Nov 15 00:15:45 2017 GMT
> Next Update: Nov 15 00:15:45 2017 GMT
>
> Also not fixed.
>
> I believe Kathleen has opened bugzilla issues for these so it would
> probably be good to copy this correspondence there as well.
>
> -Paul
>
> On November 15, 2017 at 6:50:43 AM, Ben Wilson (ben.w...@digicert.com)
> wrote:
>
> Could someone re-check Multicert and SCEE? (See below.) They have
> indicated to us that they have now patched their OCSP responder systems.
>
>
>
> DN: CN=Cartão de Cidadão 001, OU=ECEstado, O=SCEE - Sistema de Certificação
> Electrónica do Estado, C=PT
>
> Example cert: https://crt.sh/?id=12729446
>
> OCSP URI: http://ocsp.root.cartaodecidadao.pt/publico/ocsp
>
>
>
> DN: C=PT, O=MULTICERT - Serviços de Certificação Electrónica S.A.,
> OU=Accredited Certification Authority, CN=MULTICERT Certification Authority
> 002
>
> Example cert: https://crt.sh/?id=117934576
>
> OCSP URI: http://ocsp.multicert.com/ocsp
>
> OCSP URI: http://ocsp.multicert.com/procsp
>
>
>
> DN: C=PT, O=MULTICERT - Serviços de Certificação Electrónica S.A.,
> OU=Entidade de Certificação Credenciada, CN=MULTICERT - Entidade de
> Certificação 001
>
> Example cert: https://crt.sh/?id=11653177
>
> OCSP URI: http://ocsp.multicert.com/ocsp
>
>
>
> DigiCert/Government of Portugal, Sistema de Certificação Electrónica do
> Estado (SCEE) / Electronic Certification System of the State:
>
>
>
> DN: C=PT, O=SCEE, CN=ECRaizEstado
>
> Example cert: https://crt.sh/?id=8322256
>
> OCSP URI: http://ocsp.ecee.gov.pt
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Peter Gutmann
Dec 11, 2017, 8:55:10 PM12/11/17
to mozilla-dev-s...@lists.mozilla.org, Rob Stradling
Rob Stradling via dev-security-policy <dev-secur...@lists.mozilla.org> writes:
>CAs / Responder URLs that are in scope for, but violate, the BR prohibition
>on returning a signed a "Good" response for a random serial number
Isn't that perfectly valid? Despite the misleading name, OCSP's "Good" just
means "not revoked", and a not-revoked reply to a random serial number is
correct because it's not revoked.
Peter.
Ryan Sleevi
Dec 11, 2017, 9:11:10 PM12/11/17
to Peter Gutmann, Rob Stradling, mozilla-dev-s...@lists.mozilla.org
No. It has been prohibited for years in the Baseline Requirements. With an
expectation that CAs monitor such requests in light of DigiNotar
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
expectation that CAs monitor such requests in light of DigiNotar
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
Wayne Thayer
Dec 19, 2017, 5:22:01 PM12/19/17
to Rob Stradling, mozilla-dev-s...@lists.mozilla.org
Thanks Rob! I went through the list and filed a bug for each CA if there
wasn't one already open (with one exception that I'm still researching).
All open OCSP issues are included in the list at
https://wiki.mozilla.org/CA/Incident_Dashboard
Wayne
On Mon, Dec 11, 2017 at 10:49 PM, Rob Stradling via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
>
> Some example reports:
>
> 1. CAs / Responder URLs that are in scope for, but violate, the BR
wasn't one already open (with one exception that I'm still researching).
All open OCSP issues are included in the list at
https://wiki.mozilla.org/CA/Incident_Dashboard
Wayne
On Mon, Dec 11, 2017 at 10:49 PM, Rob Stradling via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
>
> Some example reports:
>
> 1. CAs / Responder URLs that are in scope for, but violate, the BR
> prohibition on returning a signed a "Good" response for a random serial
0 new messages