[Noisebridge-discuss] Finally - Working and non ghetto ssl for www.noisebridge.net

Jacob Appelbaum jacob at appelbaum.net
Sun Mar 9 08:10:28 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

(This second copy is signed as I should have done in the first place)

Finally, we have a reasonable SSL cert. Sadly, it uses MD5 - if anyone
can perform an attack that takes advantage of that MD5 - you get a cookie!

X.509 certificate info:

Version: 3
Serial Number (hex): 07:F1:30
Subject: C=US,O=www.noisebridge.net,OU=GT03814955,OU=See
www.rapidssl.com/resources/cps (c)08,OU=Domain Control Validated -
RapidSSL(R),CN=www.noisebridge.net
Issuer: C=US,O=Equifax Secure Inc.,CN=Equifax Secure Global eBusiness CA-1
Signature Algorithm: RSA-MD5
Warning: certificate uses a broken signature algorithm that can be forged.
Validity:
        Not Before: Sat Mar  8 23:21:23 2008
        Not After: Mon Mar  9 23:21:23 2009
Subject Public Key Info:
        Public Key Algorithm: RSA (1024 bits)
modulus:
        bf:3b:83:5d:84:bf:84:8c:e8:8b:06:3b:63:e7:bd:
        17:65:8f:b5:9c:99:fe:f0:6e:4e:e5:ab:c6:6f:c8:
        86:b1:71:e4:ee:9b:12:2d:e5:1c:57:d5:b2:9e:1e:
        05:8d:51:3b:c7:01:fd:41:bb:4c:22:ba:35:f7:f0:
        ee:29:ca:3b:a5:04:41:a3:f1:4e:2f:53:31:97:90:
        e9:41:bc:b1:83:2b:fb:f8:6f:ed:8a:fa:fc:1a:cd:
        a6:57:01:8b:1d:e9:da:3c:32:bd:a8:87:c7:b8:28:
        a4:c6:4f:88:92:e4:7d:c4:0f:98:11:62:b3:2c:e6:
        81:6e:6e:e1:1f:7d:46:9d:
public exponent:
        01:00:01:

X.509 Extensions:
        CRL Distribution points:
                URI: http://crl.geotrust.com/crls/globalca1.crl
        Basic Constraints: (critical)
                CA:FALSE
        Key usage: (critical)
                Digital signature.
                Non repudiation.
                Key encipherment.
                Data encipherment.
        Key purpose OIDs:
                TLS WWW Server.
                TLS WWW Client.
        Subject Key ID:
                42:94:B5:E5:C3:22:BA:D1:69:F7:F6:39:60:F5:09:72:13:B0:AD:12
        Authority Key ID:
                BE:A8:A0:74:72:50:6B:44:B7:C9:23:D8:FB:A8:FF:B3:57:6B:68:6C

Other information:
        MD5 Fingerprint: F2:07:48:E6:B2:61:F1:AD:F4:B7:EC:E7:B9:3F:B2:F6
        SHA1 Fingerprint:
90:1C:79:51:47:53:B7:DC:B4:B4:13:2D:BC:8E:D4:E2:FB:9B:54:75
        Public Key ID:
49:81:D4:57:93:E7:31:50:49:B7:56:45:64:18:D1:2B:F6:D2:CA:D3


- -----BEGIN CERTIFICATE-----
MIIDUzCCArygAwIBAgIDB/EwMA0GCSqGSIb3DQEBBAUAMFoxCzAJBgNVBAYTAlVT
MRwwGgYDVQQKExNFcXVpZmF4IFNlY3VyZSBJbmMuMS0wKwYDVQQDEyRFcXVpZmF4
IFNlY3VyZSBHbG9iYWwgZUJ1c2luZXNzIENBLTEwHhcNMDgwMzA5MDcyMTIzWhcN
MDkwMzEwMDYyMTIzWjCBwjELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE3d3dy5ub2lz
ZWJyaWRnZS5uZXQxEzARBgNVBAsTCkdUMDM4MTQ5NTUxMTAvBgNVBAsTKFNlZSB3
d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMgKGMpMDgxLzAtBgNVBAsTJkRv
bWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlkU1NMKFIpMRwwGgYDVQQDExN3
d3cubm9pc2VicmlkZ2UubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/
O4NdhL+EjOiLBjtj570XZY+1nJn+8G5O5avGb8iGsXHk7psSLeUcV9Wynh4FjVE7
xwH9QbtMIro19/DuKco7pQRBo/FOL1Mxl5DpQbyxgyv7+G/tivr8Gs2mVwGLHena
PDK9qIfHuCikxk+IkuR9xA+YEWKzLOaBbm7hH31GnQIDAQABo4G9MIG6MA4GA1Ud
DwEB/wQEAwIE8DAdBgNVHQ4EFgQUQpS15cMiutFp9/Y5YPUJchOwrRIwOwYDVR0f
BDQwMjAwoC6gLIYqaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9nbG9iYWxj
YTEuY3JsMB8GA1UdIwQYMBaAFL6ooHRyUGtEt8kj2Puo/7NXa2hsMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEB
BAUAA4GBAC/Dpp09nQxPpReI1gaZyHbNUPXc+u95+UiLiuK5PiqGRe+uQzQ4D9Fn
lciQbezcUD8GsTJApXfAtkJwohnv5Rp8tdFJmULYAD5YTROQH745/2pdfaRFFtxA
GaYhCIa2j325Sym4yxdGg3SmbR5QcUNpxmQ1c0mZBqEogoUhTivQ
- -----END CERTIFICATE-----


Or if you prefer openssl:

rorreoi at bridge:~$ openssl s_client -ssl3  -host www.noisebridge.net
- -port 443
CONNECTED(00000003)
depth=0 /C=US/O=www.noisebridge.net/OU=GT03814955/OU=See
www.rapidssl.com/resources/cps (c)08/OU=Domain Control Validated -
RapidSSL(R)/CN=www.noisebridge.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/O=www.noisebridge.net/OU=GT03814955/OU=See
www.rapidssl.com/resources/cps (c)08/OU=Domain Control Validated -
RapidSSL(R)/CN=www.noisebridge.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/O=www.noisebridge.net/OU=GT03814955/OU=See
www.rapidssl.com/resources/cps (c)08/OU=Domain Control Validated -
RapidSSL(R)/CN=www.noisebridge.net
verify error:num=21:unable to verify the first certificate
verify return:1
h---
Certificate chain
 0 s:/C=US/O=www.noisebridge.net/OU=GT03814955/OU=See
www.rapidssl.com/resources/cps (c)08/OU=Domain Control Validated -
RapidSSL(R)/CN=www.noisebridge.net
   i:/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
- ---
Server certificate
- -----BEGIN CERTIFICATE-----
MIIDUzCCArygAwIBAgIDB/EwMA0GCSqGSIb3DQEBBAUAMFoxCzAJBgNVBAYTAlVT
MRwwGgYDVQQKExNFcXVpZmF4IFNlY3VyZSBJbmMuMS0wKwYDVQQDEyRFcXVpZmF4
IFNlY3VyZSBHbG9iYWwgZUJ1c2luZXNzIENBLTEwHhcNMDgwMzA5MDcyMTIzWhcN
MDkwMzEwMDYyMTIzWjCBwjELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE3d3dy5ub2lz
ZWJyaWRnZS5uZXQxEzARBgNVBAsTCkdUMDM4MTQ5NTUxMTAvBgNVBAsTKFNlZSB3
d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMgKGMpMDgxLzAtBgNVBAsTJkRv
bWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlkU1NMKFIpMRwwGgYDVQQDExN3
d3cubm9pc2VicmlkZ2UubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/
O4NdhL+EjOiLBjtj570XZY+1nJn+8G5O5avGb8iGsXHk7psSLeUcV9Wynh4FjVE7
xwH9QbtMIro19/DuKco7pQRBo/FOL1Mxl5DpQbyxgyv7+G/tivr8Gs2mVwGLHena
PDK9qIfHuCikxk+IkuR9xA+YEWKzLOaBbm7hH31GnQIDAQABo4G9MIG6MA4GA1Ud
DwEB/wQEAwIE8DAdBgNVHQ4EFgQUQpS15cMiutFp9/Y5YPUJchOwrRIwOwYDVR0f
BDQwMjAwoC6gLIYqaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9nbG9iYWxj
YTEuY3JsMB8GA1UdIwQYMBaAFL6ooHRyUGtEt8kj2Puo/7NXa2hsMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEB
BAUAA4GBAC/Dpp09nQxPpReI1gaZyHbNUPXc+u95+UiLiuK5PiqGRe+uQzQ4D9Fn
lciQbezcUD8GsTJApXfAtkJwohnv5Rp8tdFJmULYAD5YTROQH745/2pdfaRFFtxA
GaYhCIa2j325Sym4yxdGg3SmbR5QcUNpxmQ1c0mZBqEogoUhTivQ
- -----END CERTIFICATE-----
subject=/C=US/O=www.noisebridge.net/OU=GT03814955/OU=See
www.rapidssl.com/resources/cps (c)08/OU=Domain Control Validated -
RapidSSL(R)/CN=www.noisebridge.net
issuer=/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
- ---
No client certificate CA names sent
- ---
SSL handshake has read 1451 bytes and written 317 bytes
- ---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
68378EB1EF65650837E9D008D292B475505F8D0CE4023007051A5155FFC2B710
    Session-ID-ctx:
    Master-Key:
AB03FFBB324EF56799BFD44F1324601D8B5F2BB260EC36293AE5896AF0E883187F5EC2E3D0416EA435A133EB4957317F
    Key-Arg   : None
   Compression: 1 (zlib compression)
    Start Time: 1205048730
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
- ---

Yes!

- -jake

-----BEGIN PGP SIGNATURE-----

iD8DBQFH05t0mCiURc9yJggRCofcAJ9Keq3qPNn7KBcf00USydCZBLoXlQCeIDVu
UXjnjcUSf4zutQ503Pnzm/c=
=Lcg3
-----END PGP SIGNATURE-----



More information about the Noisebridge-discuss mailing list