Closed
Bug 1446080
Opened 6 years ago
Closed 6 years ago
Let's Encrypt: Improper encoding of wildcard certificates
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: wthayer, Assigned: jaas, NeedInfo)
Details
(Whiteboard: [ca-compliance] [dv-misissuance])
Josh Aas posted the following incident report to mozilla.dev.security.policy: During final tests for the general availability of wildcard certificate support, the Let's Encrypt operations team issued six test wildcard certificates under our publicly trusted root: https://crt.sh/?id=353759994 https://crt.sh/?id=353758875 https://crt.sh/?id=353757861 https://crt.sh/?id=353756805 https://crt.sh/?id=353755984 https://crt.sh/?id=353754255 These certificates contain a subject common name that includes a “*.” label encoded as an ASN.1 PrintableString, which does not allow the asterisk character, violating RFC 5280. We became aware of the problem on 2018-03-13 at 00:43 UTC via the linter flagging in crt.sh [1]. All six certificates have been revoked. The root cause of the problem is a Go language bug [2] which has been resolved in Go v1.10 [3], which we were already planning to deploy soon. We will resolve the issue by upgrading to Go v1.10 before proceeding with our wildcard certificate launch plans. We employ a robust testing infrastructure but there is always room for improvement and sometimes bugs slip through our pre-production tests. We’re fortunate that the PKI community has produced some great testing tools that sometimes catch things we don’t. In response to this incident we are planning to integrate additional tools into our testing infrastructure and improve our test coverage of multiple Go versions. [1] https://crt.sh/ [2] https://github.com/golang/go/commit/3b186db7b4a5cc510e71f90682732eba3df72fd3 [3] https://golang.org/doc/go1.10#encoding/asn1
Reporter | ||
Comment 1•6 years ago
|
||
The discussion thread for this issue is https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wqySoetqUFM Jacob described the following action item: integrate GlobalSign's certlint and/or zlint into our existing cert-checker pipeline Please provide a date for completing this action, and update this bug when the action has been completed.
Assignee: wthayer → jaas
Flags: needinfo?(mozilla.20.jsha)
Whiteboard: [ca-compliance]
The work to integrate certlint was completed and merged into our testing on March 15: https://github.com/letsencrypt/boulder/pull/3550
Reporter | ||
Comment 3•6 years ago
|
||
It appears that all actions have been completed, so I am marking this resolved.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Updated•2 years ago
|
Product: NSS → CA Program
Updated•1 year ago
|
Whiteboard: [ca-compliance] → [ca-compliance] [dv-misissuance]
You need to log in
before you can comment on or make changes to this bug.
Description
•