kajer
@cR0w @ryanc I'll need a cert that covers FD8C::/8 if these people fuckers I work with have anything to say about it... If I give them 1, they will want all 16 trillion 1,329,227,995,784,915,872,903,807,060,280,344,576.
Maybe there is a way to fuck with how certs are parsed like using [FD8C::/8] as a DNS name?
I don't know. That ticket will probably sit in my queue until the day I quit, and many years thereafter.
Ryan Castellucci :nonbinary_flag:
@cR0w @kajer what manner of fuckery is it that you desire, my friends?
kajer
@cR0w I'm tempted to call on @ryanc to do stupid certificate things just for fun
cR0w :cascadia:
cR0w :cascadia:
@kajer If you're handing out certs like that, where can I put in my requests? 😈
kajer
@cR0w do wildcard certs apply to 192.168/16 address too? How about a wildcard for 10/8 ?
sign me up!
cR0w :cascadia:
@kajer Yes please! I'd also like some 169.254.0.0/16 if you've got them.
kajer
today's first ticket:
We need this RFC4193 IPv6 address to use a certificate from the company's openssl CA
You want openssl to give us a trusted cert for a non-routed IPv6 address?!
lol, what a week
Ryan Castellucci :nonbinary_flag:
@cR0w @kajer FWIW I already have tooling that can generate certs for private address space from an internal CA because of course I do.
Ryan Castellucci :nonbinary_flag:
@kajer @cR0w It turns out that no, there is no such thing as an IP wildcard certificate, much to my surprise.
Closest you can get is an intermediate CA with name constraints and then they can mint their own per-ip certificates.
Ryan Castellucci :nonbinary_flag:
@kajer @cR0w you can stuff individual IPv6 addresses in the subject alternative name field though
kajer
@ryanc @cR0w I have seen blursed certs with entire /24s for IPv4 stuffed in the subj-alt names... I just dont want to do this... for v4 or v6
fucking use DNS for your shit
Ryan Castellucci :nonbinary_flag:
@kajer @cR0w find me an example of such a certificate and I will figure out how to replicate it
Ryan Castellucci :nonbinary_flag:
Here's what I found:
https://security.stackexchange.com/questions/91368/ip-range-in-ssl-subject-alternative-name
kajer
@ryanc @cR0w I found the same thing. I refuse out of principal. I know I work at a startup and a level of jank is involved... But damn.
Ryan Castellucci :nonbinary_flag:
@kajer @cR0w I'd probably have to read the boringssl source code to see whether chrome will handle it...
kajer
@ryanc @cR0w lol @ryanc reading dcoumentation smells like a CVE in the pipeline
Ryan Castellucci :nonbinary_flag:
@kajer @cR0w I'm pretty sure they started fuzzing their certificate validation code paths after a few rounds of researchers setting it on fire
kajer
@ryanc @cR0w oh thats right... chrome, owning the majority browser market, gets to do what they want regardless of rules because what are you going to do about it?
Ryan Castellucci :nonbinary_flag:
@kajer @cR0w I just spoke with someone from let's encrypt who has looked at the relevant code in a number of implementations and they confirm CIDR ranges aren't honored in SANs.
If I had an exploit which would allow this, I would now be dropping it because it would be funny, but alas...
kajer
@ryanc @cR0w I am tempted attempt a shellshock to get this... But certificate parsing is probably secure enough to prevent this... right? RIGHT?
Ryan Castellucci :nonbinary_flag:
This has an example of generating a SAN with an ipv4 address, IPv6 should work...
Fritz Adalis
@ryanc @cR0w @kajer
Pretty sure Microsoft's CA does this out of the box. This is why Microsoft always gets the best quadrant.
Ryan Castellucci :nonbinary_flag:
@kajer @cR0w as I said, fuzz testing...
Now, if you wanted to break GnuTLS, that's probably still got some fun things in the dumpster between the fire.
kajer
@ryanc @cR0w i am not going to be enabling this request by giving them a trusted cert for an ipaddress. I doubt our CA will do it, but I'm not going to ask. They don't want any type of DNS, just the internal use IP.
Hi Digicert, can I get a trusted cert for 192.168.1.1 please?
Hi Digicert, can I get a trusted cert for 2001:db8::1 please?
kajer
@ryanc @cR0w LOL I just re-read the ticket...
ALL servers at ALL sites will use the SAME IPv6 address, so they only need the ONE certificate.
W T A F
Ryan Castellucci :nonbinary_flag:
@kajer @cR0w just make the certificate with some fun text embedded in the PEM
Ryan Castellucci :nonbinary_flag:
@kajer @cR0w DigiCert isn't going to oblige, so they run your internal CA?
kajer
@ryanc @cR0w the wording of the ticket broke my brain. they want a trusted ca to give us a cert for their one ipv6 address they intend to reuse at multiple sites.
Ryan Castellucci :nonbinary_flag:
Ryan Castellucci :nonbinary_flag:
@kajer @cR0w they can set a public DNS name to an internal IP, but you know that...
Ryan Castellucci :nonbinary_flag:
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.