-
Martin
> Establishing a secure connection from mdosch.de to anonymitaet-im-inter.net failed. Certificate hash: 9bad9a6c6caf82c39f0b53fa2303e823891cedcf03580e844318765449b0860a. Error with certificate 0: certificate has expired.
-
nuegia.net
check RTC
-
nuegia.net
standby
-
Martin
nuegia.net: it's not my clock, their cert is expired: > x509: certificate has expired or is not yet valid: current time 2024-11-24T20:34:21+01:00 is after 2024-11-24T03:49:48Z
-
nuegia.net
``` Testing server defaults (Server Hello) TLS extensions (standard) "renegotiation info/#65281" "EC point formats/#11" "supported versions/#43" "key share/#51" "max fragment length/#1" "extended master secret/#23" Session Ticket RFC 5077 hint no -- no lifetime advertised SSL Session ID support no Session Resumption Tickets no, ID: no TLS clock skew Random values, no fingerprinting possible Signature Algorithm ECDSA with SHA384 Server key size EC 384 bits Server key usage Digital Signature Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication Serial 0457297C807637D498CD04B128BB328F26E6 (OK: length 18) Fingerprints SHA1 3A054D472DC453CB4ED4B2BF2F4354552EB5536C SHA256 9BAD9A6C6CAF82C39F0B53FA2303E823891CEDCF03580E844318765449B0860A Common Name (CN) anonymitaet-im-inter.net subjectAltName (SAN) anonymitaet-im-inter.net chat.anonymitaet-im-inter.net Issuer E6 (Let's Encrypt from US) Trust (hostname) Ok via SAN (same w/o SNI) Chain of trust NOT ok (expired) EV cert (experimental) no ETS/"eTLS", visibility info not present Certificate Validity (UTC) expired (2024-08-26 03:49 --> 2024-11-24 03:49) # of certificates provided 2 Certificate Revocation List -- OCSP URI http://e6.o.lencr.org OCSP stapling not offered OCSP must staple extension -- DNS CAA RR (experimental) not offered Certificate Transparency yes (certificate extension) ```
-
Martin
qed, you just confirm that their cert is expired, so why do you tell me to fix my clock?
-
nuegia.net
I didn't have the information at the time. which is why I said standby
-
nuegia.net
The test takes a while to complete.
-
Martin
Maybe you should do your tests before you suggest the wrong party to fix their setup. ^^
-
nuegia.net
It's relatively quick to check your own RTC while the test runs.
-
Menel
It is not like it depends on a minute here?
-
Menel
Interesting who runs xmpp servers apparently https://datenkanal.org/
-
nuegia.net
Does anyone have a writeup on how the nationstate level attack on jabber.ru that bypassed tls was performed and ways to metigate it?
-
Menel
I think this contains it all https://news.ycombinator.com/item?id=37961166 + the original post of the jabber.ru people
-
nuegia.net
When deploying CAA security, are the "" surrounding the string portion of a CAA record in a zone file necessary or is that just a way the writer of the article is showing the data?
-
nuegia.net
I've used nonliteral doublequotes in zone files before and have not had a problem yet.✎ -
nuegia.net
I've never used nonliteral doublequotes in zone files before and have not had a problem yet. ✏
-
nuegia.net
checkzone is happy but i'd like to be sure.
-
MattJ
I never liked that article, it pretends that Certificate Transparency is a solution, but it is not (it's just a way to detect the attack after it already happened).
-
MattJ
CAA records, channel binding and DNSSEC/DANE are all things that would have entirely prevented the jabber.ru attack (based on our understanding of how it worked)
-
nuegia.net
I'm not using CT to metigate this, I'm deploying CAA account bonding.
-
MattJ
Yep, just commenting on the article, not your actions
-
nuegia.net
As I understand it ACME uses account numbers which are proved with ownership of a private key on the server and public key cryptography, therefor if I deploy account bonding with me CA and restrict CAA to only CAs I actually use it should make this attack impossible even if the routers are compromised correct?
-
nuegia.net
I'm deploying it now. Just waiting for dns to settle. Will test acme still works after this.
-
nuegia.net
Anything else I am missing?
-
MattJ
Correct, mostly. If you don't have DNSSEC then your CAA records could theoretically be tampered with between your DNS server and the CA. With DNSSEC you should be fine, it would require a compromise of the CA.
-
nuegia.net
I'm still figuring out how to deploy DNSSEC with NSD. This is still very confusing to me.
-
nuegia.net
Help would be appreciated.
-
nuegia.net
I'd like to close that potential attack vector.
-
nuegia.net
apparently nonliteral doublequotes are needed in zone files when semicolon is used