info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Certificate with duplicate commonname
212 views
Skip to first unread message
Hanno Böck
Oct 29, 2017, 2:42:43 PM10/29/17
to mozilla-dev-s...@lists.mozilla.org
Hi,
This certificate has a duplicate commonname:
https://crt.sh/?id=242683153&opt=problemreporting
This was pointed out by Mattias Geniar:
https://twitter.com/mattiasgeniar/status/924705516974112768
I'm not entirely sure if the wording of the BRs forbid this (they say
the CN field must contain a single IP or fqdn, but don't really
consider the case that 2 CNs can be present), though this is
clearly malformed.
I have informed telesec / Deutsche Telekom about this (this is
indirectly signed by them) via their contact form.
I haven't checked if other such certificates exist.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
This certificate has a duplicate commonname:
https://crt.sh/?id=242683153&opt=problemreporting
This was pointed out by Mattias Geniar:
https://twitter.com/mattiasgeniar/status/924705516974112768
I'm not entirely sure if the wording of the BRs forbid this (they say
the CN field must contain a single IP or fqdn, but don't really
consider the case that 2 CNs can be present), though this is
clearly malformed.
I have informed telesec / Deutsche Telekom about this (this is
indirectly signed by them) via their contact form.
I haven't checked if other such certificates exist.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Peter Bowen
Oct 29, 2017, 2:51:46 PM10/29/17
to Hanno Böck, mozilla-dev-s...@lists.mozilla.org
This has been discussed previously and my recollection is that
multiple CNs are allowed as long as each one has a single entry from
the subjectAlternativeName extension.
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
multiple CNs are allowed as long as each one has a single entry from
the subjectAlternativeName extension.
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
Jürgen Brauckmann
Oct 30, 2017, 6:16:56 AM10/30/17
to dev-secur...@lists.mozilla.org, ha...@hboeck.de
Hi Hanno!
Am 29.10.2017 um 19:42 schrieb Hanno Böck via dev-security-policy:
> This certificate has a duplicate commonname:
> https://crt.sh/?id=242683153&opt=problemreporting
The cert was issued by our systems (DFN-PKI).
> This was pointed out by Mattias Geniar:
> https://twitter.com/mattiasgeniar/status/924705516974112768 >
> I'm not entirely sure if the wording of the BRs forbid this (they say
> the CN field must contain a single IP or fqdn, but don't really
> consider the case that 2 CNs can be present), though this is
> clearly malformed.
I don't see why you say that this certificate is malformed. On what
basis? The BRs don't forbid this, RFC5280 doesn't forbid this.
There was even
http://wiki.cacert.org/VhostTaskForce#A2._Way:_Multiple_CommonNames_in_the_same_certificate
The author of cablint thinks multi-CN justifies a warning (I guess
because browser support of multi-CN is nowadays non-existent).
> I have informed telesec / Deutsche Telekom about this (this is
> indirectly signed by them) via their contact form.
>
> I haven't checked if other such certificates exist.
Of course do they exist.
Regards,
Jürgen
Am 29.10.2017 um 19:42 schrieb Hanno Böck via dev-security-policy:
> This certificate has a duplicate commonname:
> https://crt.sh/?id=242683153&opt=problemreporting
> This was pointed out by Mattias Geniar:
> https://twitter.com/mattiasgeniar/status/924705516974112768 >
> I'm not entirely sure if the wording of the BRs forbid this (they say
> the CN field must contain a single IP or fqdn, but don't really
> consider the case that 2 CNs can be present), though this is
> clearly malformed.
basis? The BRs don't forbid this, RFC5280 doesn't forbid this.
There was even
http://wiki.cacert.org/VhostTaskForce#A2._Way:_Multiple_CommonNames_in_the_same_certificate
The author of cablint thinks multi-CN justifies a warning (I guess
because browser support of multi-CN is nowadays non-existent).
> I have informed telesec / Deutsche Telekom about this (this is
> indirectly signed by them) via their contact form.
>
> I haven't checked if other such certificates exist.
Regards,
Jürgen
0 new messages