Conversation

Notices

1. Embed this notice
   Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 17-May-2024 16:37:34 JST Ryan Castellucci :nonbinary_flag:

   LOL never trust the output of openssl x509 -noout -text

   You can stuff arbitrary printable ascii including newlines into random extensions as raw data and it'll just display it.

   https://gist.githubusercontent.com/ryancdotorg/73f298821f57b56ec328181dfa9b9ade/raw/37444b84684315b19ef50f85d4453663cfafeb96/nsa.test.pem

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 17-May-2024 16:39:30 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     I can stuff a text representation of an entire other certificate in there....

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 17-May-2024 16:41:11 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     No CAs just copy the value of harmless deprecated extensions, right?

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 17-May-2024 16:43:21 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     Obviously I tried ANSI escape sequences, which didn't work.

   • Embed this notice
     Sophie Schmieg (sophieschmieg@infosec.exchange)'s status on Saturday, 18-May-2024 05:13:54 JST Sophie Schmieg

     in reply to

     @ryanc

     Never trust […] x509.

     Fixed that for you.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 18-May-2024 05:19:26 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Sophie Schmieg

     @sophieschmieg never trust

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 18-May-2024 05:27:32 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Sophie Schmieg

     @sophieschmieg btw shodan dumps certificates using openssl x509 -text

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Sunday, 19-May-2024 18:49:38 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Nicolas SAPA

     @nico Perhaps, but GnuTLS has significantly more security bugs in it than OpenSSL.

   • Embed this notice
     Nicolas SAPA (nico@ublog.byme.at)'s status on Sunday, 19-May-2024 18:49:42 JST Nicolas SAPA

     in reply to
     @ryanc certtool from gnutls show "Unknown extension 2.16.840.1.113730.1.1 (not critical):" and remove the newline.
   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Sunday, 19-May-2024 18:50:58 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • waldi

     @waldi Making a CA do a lot of paperwork for the next few weeks sounds fun, especially if it's Sectigo.

   • Embed this notice
     waldi (waldi@chaos.social)'s status on Sunday, 19-May-2024 18:50:59 JST waldi

     in reply to

     @ryanc No, CA governed by CA/Browser forum will not just copy sections. Or they will have to do a lot of paperwork for the next weeks.

   • Embed this notice
     wr (wr@infosec.exchange)'s status on Saturday, 24-May-2025 00:05:15 JST wr

     in reply to

     @ryanc I was referred to this post by https://github.com/libressl/portable/issues/1171#event-17786466385

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 24-May-2025 16:49:27 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • wr

     @wr Oh, interesting, I tried to do exactly this and failed. I was able to inject text just fine, but I guess I should have tried more fields..

   • Embed this notice
     wr (wr@infosec.exchange)'s status on Saturday, 24-May-2025 17:17:12 JST wr

     in reply to

     @ryanc the talk recording was published a few days ago https://youtu.be/0wW8lGjJuBM