Public
- Public
- Network
- Groups
- Featured
- Popular
- People

Conversation

Notices

Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 17-May-2024 16:37:34 JST Ryan Castellucci :nonbinary_flag:

LOL never trust the output of openssl x509 -noout -text
You can stuff arbitrary printable ascii including newlines into random extensions as raw data and it'll just display it.
https://gist.githubusercontent.com/ryancdotorg/73f298821f57b56ec328181dfa9b9ade/raw/37444b84684315b19ef50f85d4453663cfafeb96/nsa.test.pem
In conversation about a year ago from infosec.exchange permalink
Attachments
1. screenshot of openssl output showing X509v3 No Secrecy Afforded: true
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/112/455/258/036/485/965/original/57e7268e8eaec58d.png
- Embed this notice
  Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 17-May-2024 16:39:30 JST Ryan Castellucci :nonbinary_flag:
  in reply to
  
  I can stuff a text representation of an entire other certificate in there....
  
  In conversation about a year ago permalink
- Embed this notice
  Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 17-May-2024 16:41:11 JST Ryan Castellucci :nonbinary_flag:
  in reply to
  
  No CAs just copy the value of harmless deprecated extensions, right?
  
  In conversation about a year ago permalink
- Embed this notice
  Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 17-May-2024 16:43:21 JST Ryan Castellucci :nonbinary_flag:
  in reply to
  
  Obviously I tried ANSI escape sequences, which didn't work.
  
  In conversation about a year ago permalink
- Embed this notice
  Sophie Schmieg (sophieschmieg@infosec.exchange)'s status on Saturday, 18-May-2024 05:13:54 JST Sophie Schmieg
  in reply to
  
  @ryanc
  Never trust […] x509.
  Fixed that for you.
  
  In conversation about a year ago permalink
- Embed this notice
  Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 18-May-2024 05:19:26 JST Ryan Castellucci :nonbinary_flag:
  in reply to
  - Sophie Schmieg
  @sophieschmieg never trust
  
  In conversation about a year ago permalink
- Embed this notice
  Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 18-May-2024 05:27:32 JST Ryan Castellucci :nonbinary_flag:
  in reply to
  - Sophie Schmieg
  @sophieschmieg btw shodan dumps certificates using openssl x509 -text
  
  In conversation about a year ago permalink
- Embed this notice
  Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Sunday, 19-May-2024 18:49:38 JST Ryan Castellucci :nonbinary_flag:
  in reply to
  - Nicolas SAPA
  @nico Perhaps, but GnuTLS has significantly more security bugs in it than OpenSSL.
  
  In conversation about a year ago permalink
- Embed this notice
  Nicolas SAPA (nico@ublog.byme.at)'s status on Sunday, 19-May-2024 18:49:42 JST Nicolas SAPA
  in reply to
  
  @ryanc certtool from gnutls show "Unknown extension 2.16.840.1.113730.1.1 (not critical):" and remove the newline.
  
  In conversation about a year ago permalink
- Embed this notice
  Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Sunday, 19-May-2024 18:50:58 JST Ryan Castellucci :nonbinary_flag:
  in reply to
  - waldi
  @waldi Making a CA do a lot of paperwork for the next few weeks sounds fun, especially if it's Sectigo.
  
  In conversation about a year ago permalink
- Embed this notice
  waldi (waldi@chaos.social)'s status on Sunday, 19-May-2024 18:50:59 JST waldi
  in reply to
  
  @ryanc No, CA governed by CA/Browser forum will not just copy sections. Or they will have to do a lot of paperwork for the next weeks.
  
  In conversation about a year ago permalink

Public

Conversation

Notices

Feeds