Closed Bug 1446080 Opened 2 years ago Closed 2 years ago

Let's Encrypt: Improper encoding of wildcard certificates

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: wayne, Assigned: jaas, NeedInfo)

Details

(Whiteboard: [ca-compliance])

Josh Aas posted the following incident report to mozilla.dev.security.policy:

During final tests for the general availability of wildcard certificate support, the Let's Encrypt operations team issued six test wildcard certificates under our publicly trusted root:

https://crt.sh/?id=353759994
https://crt.sh/?id=353758875
https://crt.sh/?id=353757861
https://crt.sh/?id=353756805
https://crt.sh/?id=353755984
https://crt.sh/?id=353754255

These certificates contain a subject common name that includes a  “*.” label encoded as an ASN.1 PrintableString, which does not allow the asterisk character, violating RFC 5280.

We became aware of the problem on 2018-03-13 at 00:43 UTC via the linter flagging in crt.sh [1]. All six certificates have been revoked.

The root cause of the problem is a Go language bug [2] which has been resolved in Go v1.10 [3], which we were already planning to deploy soon. We will resolve the issue by upgrading to Go v1.10 before proceeding with our wildcard certificate launch plans.

We employ a robust testing infrastructure but there is always room for improvement and sometimes bugs slip through our pre-production tests. We’re fortunate that the PKI community has produced some great testing tools that sometimes catch things we don’t. In response to this incident we are planning to integrate additional tools into our testing infrastructure and improve our test coverage of multiple Go versions.

[1] https://crt.sh/

[2] https://github.com/golang/go/commit/3b186db7b4a5cc510e71f90682732eba3df72fd3

[3] https://golang.org/doc/go1.10#encoding/asn1
The discussion thread for this issue is https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wqySoetqUFM

Jacob described the following action item: integrate GlobalSign's certlint and/or zlint into our existing cert-checker pipeline

Please provide a date for completing this action, and update this bug when the action has been completed.
Assignee: wthayer → jaas
Flags: needinfo?(mozilla.20.jsha)
Whiteboard: [ca-compliance]
The work to integrate certlint was completed and merged into our testing on March 15:

https://github.com/letsencrypt/boulder/pull/3550
It appears that all actions have been completed, so I am marking this resolved.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.