[edk2-devel] [PATCH v1 0/4] Support HTTPS HostName validation feature(CVE-2019-14553)
Laszlo Ersek
lersek at redhat.com
Thu Oct 10 08:00:05 UTC 2019
On 10/09/19 22:34, David Woodhouse wrote:
> Can you show result of 'openssl x509 -noout -text -in xxxxxx.pem' on
> your certs please.
Sure. I had thought of that actually (I could have attached the
certificates at once), but I figured, let me not share crypto stuff
unless specifically asked for :)
> Would like to check if you really have a cert for the hostname string
> "192.168.124.2" or to the IP address. They are different things.
Very interesting! This makes me curious.
The *host* certificates were generated with the "genkey" utility ("Red
Hat Keypair Generation"), not with naked openssl tool invocations.
That's because Apache setup is not for the faint-hearted, and I had
decided up-front (when I first looked into setting up mod_ssl) that I'd
follow the official documentation, here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-web_servers
So I ran
genkey 'fd33:eb1b:9b36::2'
genkey 192.168.124.2
and went through the dialogs, which were already filled in with the
argument passed on the command line (which the genkey manual calls
"hostname").
The *CA* cert was generated with openssl directly, however. Also, for
signing the CSRs (certificate signing requests), produced by "genkey", I
also used openssl manually.
Please find the certificates below (including the CA certificate):
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> a7:b5:04:75:6a:2f:ee:7e
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C=HU, ST=Pest, L=Budapest, O=Laszlo Ersek Home Office, OU=Certificate Authority, CN=Laszlo Ersek CA/emailAddress=lersek at redhat.com
> Validity
> Not Before: Oct 9 16:06:08 2019 GMT
> Not After : Nov 8 16:06:08 2019 GMT
> Subject: C=HU, ST=Pest, L=Budapest, O=Laszlo Ersek Home Office, OU=Certificate Authority, CN=Laszlo Ersek CA/emailAddress=lersek at redhat.com
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> Modulus:
> 00:d4:db:3b:fa:98:bd:15:02:3a:32:ea:64:d5:1d:
> d8:80:03:fa:fb:4e:d8:47:45:3b:57:6a:36:80:83:
> e1:6d:c4:0b:f7:24:00:ad:54:63:77:dd:86:71:f3:
> fc:f4:e5:81:d4:6c:7d:23:b9:58:9e:cc:93:ee:93:
> ed:24:62:8b:94:8f:de:3a:6a:a9:cd:1a:38:f0:df:
> 17:91:7a:22:ca:35:94:3a:1f:cb:56:97:be:bb:69:
> 1f:12:3a:7c:a4:35:6c:15:0e:27:a0:0a:2b:3d:61:
> bd:ed:a6:84:29:bc:0a:d8:0c:98:4c:e9:7d:6b:36:
> da:29:1d:49:57:8d:89:2a:62:e7:4f:00:56:46:9b:
> a7:21:9f:b6:83:c7:dd:69:b0:8b:a3:bf:fa:ef:50:
> a4:05:6f:b1:87:83:87:93:c7:ba:0e:cb:50:28:05:
> f5:a7:0a:fe:be:13:71:1a:4b:6c:7b:f6:c9:cc:b2:
> 65:cd:62:29:e3:08:c7:da:5c:ca:4d:dd:74:a4:d1:
> 37:52:ea:ad:72:87:cf:48:f3:85:af:15:ab:e8:dc:
> 50:f2:f7:7a:59:ed:b7:69:4f:a2:55:39:e5:ae:09:
> 75:45:69:a5:3a:a0:cd:52:ee:f2:15:d5:3c:fc:c0:
> 00:b7:25:71:ba:00:ba:63:08:8a:fc:b6:af:94:a4:
> 5b:cb
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Subject Key Identifier:
> 2F:A1:8A:8D:60:DC:74:D8:3C:46:B2:57:6C:E9:81:34:B1:72:82:F5
> X509v3 Authority Key Identifier:
> keyid:2F:A1:8A:8D:60:DC:74:D8:3C:46:B2:57:6C:E9:81:34:B1:72:82:F5
>
> X509v3 Basic Constraints:
> CA:TRUE
> Signature Algorithm: sha256WithRSAEncryption
> 5f:fb:ca:7c:52:c6:81:f3:3f:48:02:c6:31:64:dc:a5:2f:a6:
> 83:ef:b2:9d:68:7f:1a:e6:1d:8d:e0:50:08:ed:96:4f:56:8a:
> eb:cd:3a:ac:74:f6:e4:68:55:0d:73:b3:bf:45:cd:35:e0:4b:
> 70:bf:25:30:75:62:e1:5a:53:00:ff:ca:3c:c0:86:ad:44:73:
> 5b:64:d8:85:ea:32:38:3b:4b:60:85:95:e5:10:f3:92:19:0e:
> 55:67:26:c5:56:50:92:8c:d2:33:5b:5f:c6:27:c1:9a:6a:a5:
> ad:1b:21:04:47:ce:94:f0:2a:38:26:43:5f:9b:c0:f5:33:80:
> 59:72:33:e8:06:89:e1:7e:44:5c:cb:67:fa:f4:de:27:94:9c:
> 44:1d:81:40:6f:46:bc:2f:93:89:30:48:99:bc:53:29:44:a7:
> e1:9d:9c:05:98:14:3d:ab:e2:1c:3e:91:83:4a:74:9d:ed:14:
> d4:86:2d:c0:4e:4e:20:fc:29:31:60:b9:63:50:23:52:b1:2f:
> 9f:50:b4:d7:23:3e:08:c2:b3:bf:d3:b6:84:16:6d:71:fe:2a:
> b0:71:f0:94:67:84:1d:45:8d:22:3d:4a:f4:65:73:0c:81:8a:
> 4e:b7:52:b8:21:ab:ce:8d:50:e0:22:af:4f:2e:30:4f:95:8c:
> 9c:26:0d:fe
> Certificate:
> Data:
> Version: 1 (0x0)
> Serial Number:
> d1:ea:de:57:cb:4b:44:7b
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C=HU, ST=Pest, L=Budapest, O=Laszlo Ersek Home Office, OU=Certificate Authority, CN=Laszlo Ersek CA/emailAddress=lersek at redhat.com
> Validity
> Not Before: Oct 9 16:22:49 2019 GMT
> Not After : Nov 8 16:22:49 2019 GMT
> Subject: C=HU, ST=Pest, L=Budapest, O=Laszlo Ersek Home Office, OU=IPv6 cert, CN=fd33:eb1b:9b36::2
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> Modulus:
> 00:d5:94:80:83:2c:fa:35:20:89:2c:b5:e8:f4:48:
> 9a:f7:77:77:5c:9e:f4:cc:a7:f5:c7:d3:e8:29:0c:
> 95:36:9f:ca:5c:dd:c0:d1:f5:14:14:eb:89:19:cc:
> 8c:0e:35:d2:02:02:b5:56:d1:56:c4:f1:61:6c:cd:
> ba:21:6d:27:e8:77:db:ec:12:c8:f0:c0:a9:97:2c:
> 77:00:71:2d:36:b5:e7:08:10:d3:28:4b:96:ce:a1:
> 4a:a6:ca:ca:9a:11:56:61:21:f2:2a:45:8c:02:a9:
> 26:5d:46:d3:11:dd:35:b9:d8:19:26:cf:63:cf:d0:
> f6:04:4f:07:24:27:e3:91:8b:9b:4b:01:61:ab:0a:
> 4b:c9:c7:04:36:99:9b:94:e8:56:be:b8:14:08:73:
> d4:f6:c1:0b:7f:10:20:bd:89:79:e5:9c:24:9f:03:
> d2:b8:6b:20:b5:d1:dc:fe:ce:0d:8d:2b:a5:9b:a5:
> 26:c4:85:90:4f:b9:e9:39:7b:c6:d7:9a:8a:e1:9f:
> 47:93:db:dd:bc:d6:56:6c:16:10:b7:08:49:6b:38:
> 7b:43:55:18:b3:e4:d4:69:94:df:51:21:7f:da:02:
> 79:0f:da:65:b0:11:25:70:93:99:9d:a2:ab:8c:c9:
> fb:ca:e2:7e:5f:b8:90:65:dd:fc:54:a7:ca:de:e3:
> 6b:57
> Exponent: 65537 (0x10001)
> Signature Algorithm: sha256WithRSAEncryption
> 4d:e8:e4:17:02:74:af:a7:19:99:de:4b:44:e7:c1:7e:78:99:
> b2:e3:8f:a6:59:67:c7:b7:df:83:b9:2a:aa:aa:01:65:2d:6f:
> 0a:87:ec:49:31:01:9a:03:fd:66:36:37:cf:9a:d7:59:4f:ef:
> a4:d8:c1:9d:55:b2:76:c4:1e:d7:98:3d:4e:12:25:1a:0a:51:
> 40:e3:a0:45:3c:37:ad:f0:f8:c3:af:a1:52:47:97:77:ef:3f:
> ad:d0:56:97:e0:83:c5:e9:f0:d5:e5:74:57:fe:b2:85:86:e7:
> cd:e9:36:c0:54:cf:aa:35:4d:b6:81:42:6f:3a:9c:c4:5b:84:
> 31:fc:3c:d6:42:1c:07:2d:62:59:ff:0b:f4:c4:56:e0:2c:bf:
> 41:f4:63:40:05:c3:27:08:6c:a0:04:4c:c2:d2:8d:23:a0:30:
> 7c:c2:58:92:ad:14:25:e3:39:3f:53:37:1d:3e:20:57:94:3f:
> c9:64:d9:a3:11:d9:41:52:2e:28:00:49:72:0e:0c:96:89:02:
> 1c:10:7e:cf:81:61:6c:54:97:40:f2:06:98:96:51:da:62:3a:
> c6:10:fb:3a:4c:47:65:ea:e7:86:b2:bb:94:3d:de:93:ff:72:
> b5:29:a7:53:ec:32:f5:dd:7d:09:18:70:89:58:b9:e9:41:8c:
> ca:0e:2a:5b
> Certificate:
> Data:
> Version: 1 (0x0)
> Serial Number:
> d1:ea:de:57:cb:4b:44:7a
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C=HU, ST=Pest, L=Budapest, O=Laszlo Ersek Home Office, OU=Certificate Authority, CN=Laszlo Ersek CA/emailAddress=lersek at redhat.com
> Validity
> Not Before: Oct 9 16:20:46 2019 GMT
> Not After : Nov 8 16:20:46 2019 GMT
> Subject: C=HU, ST=Pest, L=Budapest, O=Laszlo Ersek Home Office, OU=IPv4 cert, CN=192.168.124.2
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> Modulus:
> 00:c8:e8:5a:b7:57:de:8c:5f:e9:71:8b:ca:4f:41:
> 9c:6b:33:c7:d7:45:ab:41:6e:b0:77:00:bd:a6:39:
> ab:e0:fb:23:05:e6:69:c4:56:9b:12:ec:46:fb:86:
> 75:7e:11:66:c7:8f:f4:db:ce:e7:ce:70:56:26:3c:
> e1:d9:81:6e:44:cd:56:90:9f:20:fd:ed:a7:be:ad:
> 8a:7b:c3:98:3e:c9:ba:ec:eb:79:4d:a2:1c:93:89:
> 89:0a:1a:4e:7b:31:c5:2f:cd:cc:90:d6:07:22:56:
> 9c:e8:e9:51:65:18:e2:31:05:cd:49:52:54:8c:a1:
> 1b:51:fa:8a:fa:66:9e:39:29:88:1a:e1:c5:31:ea:
> 16:25:4a:95:47:4c:53:d1:20:dd:2c:29:32:e5:d8:
> 0b:32:2d:52:c5:32:68:f7:7a:cf:15:d3:4f:95:03:
> c9:0b:8b:46:b9:c8:e4:46:77:01:08:d7:ad:c3:0a:
> 15:e2:70:62:a1:6f:d8:08:f0:60:9f:ee:34:f6:95:
> 5c:f3:c2:e0:e2:18:ec:ff:4c:74:9e:92:5a:8f:8b:
> be:38:f0:99:44:0f:95:34:a6:cb:f7:5d:59:72:30:
> 58:f7:0c:3b:5a:23:d4:bc:26:71:47:7f:08:f0:fa:
> 11:79:55:56:ed:bf:da:4f:df:55:d6:87:91:13:9e:
> 54:8d
> Exponent: 65537 (0x10001)
> Signature Algorithm: sha256WithRSAEncryption
> a2:f7:e8:7c:28:be:66:97:73:80:9a:38:4f:58:de:44:6f:10:
> 97:b1:e6:d4:1b:00:e8:49:77:09:3f:b2:34:0c:cc:93:42:cc:
> ff:7e:97:51:7e:ce:3d:f6:9f:e8:22:e5:d5:da:e5:db:f9:96:
> 4c:07:11:0b:ff:57:07:98:89:df:27:9d:30:f5:e3:6d:19:d0:
> b4:50:36:63:63:a9:9c:e1:a9:80:14:c7:07:9b:f0:d1:58:a8:
> 00:3d:34:0c:7d:25:2f:a1:0c:4a:b8:98:61:9d:c8:8e:83:b0:
> e2:b1:06:61:62:5d:67:28:32:f4:88:18:4a:13:52:55:ef:75:
> 23:f2:6b:ce:d2:64:f7:07:c4:1f:50:6e:f4:1f:1f:d5:0f:fe:
> fa:33:62:e5:af:0a:1d:19:fb:e0:73:82:82:ed:6e:5b:21:81:
> 5e:62:b8:30:8a:20:f9:4f:a8:5b:f2:55:c2:68:92:ad:d8:b1:
> ae:ea:a0:d5:39:60:fd:f2:5f:23:62:43:de:2e:b6:3e:11:ac:
> 12:7b:94:e3:b9:84:6c:2f:8e:04:8a:2b:af:5a:08:f4:7b:dc:
> 61:b4:9a:19:00:d5:fb:14:33:52:4c:49:c2:18:cd:73:8e:e8:
> d1:45:9b:ba:57:6b:5a:db:31:d7:70:13:d5:a8:26:5c:77:88:
> ba:be:09:d3
Futhermore, my Apache config is, for the "proper" certificate assignment
case (excerpt from "/etc/httpd/conf.d/ssl.conf"):
> <VirtualHost [fd33:eb1b:9b36::2]:443>
> SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
> SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
> SSLCertificateFile /etc/pki/tls/certs/fd33:eb1b:9b36::2.signedcert.pem
> SSLCertificateKeyFile /etc/pki/tls/private/fd33:eb1b:9b36::2.key
> <VirtualHost _default_:443>
> SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
> SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
> SSLCertificateFile /etc/pki/tls/certs/192.168.124.2.signedcert.pem
> SSLCertificateKeyFile /etc/pki/tls/private/192.168.124.2.key
Thanks
Laszlo
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#48709): https://edk2.groups.io/g/devel/message/48709
Mute This Topic: https://groups.io/mt/34307578/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list