Get the most out of your Centmin Mod LEMP stack
Become a Member

SSL wosign ssl cert trainwreck

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Xon, Aug 31, 2016.

  1. Xon

    Xon Active Member

    134
    57
    28
    Nov 16, 2015
    Ratings:
    +177
    Local Time:
    6:39 AM
    1.13.x
    MariaDB 10.1.x
    An fyi, but it is possible that wosign is going to get a large number of certs blacklisted due to a complete lack of security in their SSL cert issue system.

    http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html
    https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I
    The story of how WoSign gave me an SSL certificate for GitHub.com | Schrauger.com

    Yikes!
     
    • Informative Informative x 1
  2. eva2000

    eva2000 Administrator Staff Member

    30,882
    6,907
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,400
    Local Time:
    8:39 AM
    Nginx 1.13.x
    MariaDB 5.5
  3. eva2000

    eva2000 Administrator Staff Member

    30,882
    6,907
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,400
    Local Time:
    8:39 AM
    Nginx 1.13.x
    MariaDB 5.5
    hmm on very old centos 6 32bit seems StartSSL cert is playing up.. wonder if it has started for revoking of StartSSL/WoSign certs heh

    Code (Text):
    __|| |__    ___   ___ | | __ | \ | |  __ _ (_) _ __  __  __
            | |    | '_ \  / _ \ / __|| |/ / |  \| | / _` || || '_ \ \ \/ /
            | |___ | | | ||  __/| (__ |   <  | |\  || (_| || || | | | >  <
             \____||_| |_| \___| \___||_|\_\ |_| \_| \__, ||_||_| |_|/_/\_\
                                                     |___/              
                       __  __             _         _        
                      |  \/  |  ___    __| | _   _ | |  ___  ___
                      | |\/| | / _ \  / _` || | | || | / _ \/ __|
                      | |  | || (_) || (_| || |_| || ||  __/\__ \
                      |_|  |_| \___/  \__,_| \__,_||_| \___||___/
                                                             
    
    NGX_DYNAMICCHECK nginx_upgrade.inc
    /svr-setup
    
    nginx dynamic module support detected
    
    Check for old ngx_pagespeed master branch existence
    Check for missing nginx modules
    Download ngx-fancyindex-0.4.0.tar.gz ...
    --2016-08-31 23:22:49--  https://centminmod.com/centminmodparts/nginx/modules/ngx-fancyindex-0.4.0.tar.gz
    Resolving centminmod.com (centminmod.com)... 45.63.18.5
    Connecting to centminmod.com (centminmod.com)|45.63.18.5|:443... connected.
    ERROR: cannot verify centminmod.com's certificate, issued by ‘CN=StartCom Class 1 DV Server CA,OU=StartCom Certification Authority,O=StartCom Ltd.,C=IL’:
      Unable to locally verify the issuer's authority.
    To connect to centminmod.com insecurely, use `--no-check-certificate'.
    Error: ngx-fancyindex-0.4.0.tar.gz download failed.
    check Centmin Mod log for details at /root/centminlogs/
    Aborting script...


    disabled dual ECDSA + RSA SSL certs on centminmod.com as ECDSA was from startssl for testing. So back to just Comodo SSL Wildcard for centminmod.com for RSA 2048bit
    Code (Text):
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    *       subject: CN=*.centminmod.com,OU=GGSSL Wildcard SSL,OU=Domain Control Validated
    *       start date: Aug 14 00:00:00 2014 GMT
    *       expire date: Aug 13 23:59:59 2017 GMT
    *       common name: *.centminmod.com
    *       issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB


    hmm seems to be unrelated and due to wget 1.18 source compile issue for centos 6 32bit only, centos 6 64bit and centos 7 seem fine

    for centos 6 32bit need to pass the --ca-certificate file path for some reason
    Code (Text):
    /usr/local/bin/wget -O /dev/nulll https://centminmod.com/centminmodparts/nginx/modules/ngx-fancyindex-0.4.0.tar.gz --ca-certificate=/etc/pki/tls/certs/ca-bundle.crt


    guess need to setup a .wgetrc file for centos 6 32bit systems
     
    Last edited: Sep 1, 2016
  4. eva2000

    eva2000 Administrator Staff Member

    30,882
    6,907
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,400
    Local Time:
    8:39 AM
    Nginx 1.13.x
    MariaDB 5.5
    WoSign and StartSSL are in deep dodo crap now CA:WoSign Issues - MozillaWiki

    and more importantly Google Groups - basically StartCOM and thus StartSSL changed ownership and is now owned by WoSigns and they deliberately tried to hide this and failed to report the change to Mozilla

    Talks of revoking WoSign and now StartSSL from CA trust in browsers would be huge. Everyone owning WoSign or StartSSL certs will have broken and invalid certs !
     
    Last edited: Sep 12, 2016
    • Informative Informative x 1
  5. eva2000

    eva2000 Administrator Staff Member

    30,882
    6,907
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,400
    Local Time:
    8:39 AM
    Nginx 1.13.x
    MariaDB 5.5
    Turning nasty now China’s WoSign CA found to threaten users of Let’s Encrypt CA | VPN Service Reviews 2016 | VPNPick.com !

    though maybe lost in translation as i don't see it as threats but heads up warnings
     
    • Informative Informative x 1
  6. eva2000

    eva2000 Administrator Staff Member

    30,882
    6,907
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,400
    Local Time:
    8:39 AM
    Nginx 1.13.x
    MariaDB 5.5
  7. eva2000

    eva2000 Administrator Staff Member

    30,882
    6,907
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,400
    Local Time:
    8:39 AM
    Nginx 1.13.x
    MariaDB 5.5
    first nail in coffin for StartSSL/WoSign SSL certificate users as Firefox/Mozilla plan to distrust their newly issued SSL certificates from their browser WoSign and StartCom - Google Docs

     
    • Like Like x 1
  8. eva2000

    eva2000 Administrator Staff Member

    30,882
    6,907
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,400
    Local Time:
    8:39 AM
    Nginx 1.13.x
    MariaDB 5.5
    More news of this
     
  9. eva2000

    eva2000 Administrator Staff Member

    30,882
    6,907
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,400
    Local Time:
    8:39 AM
    Nginx 1.13.x
    MariaDB 5.5
    the punches keep on landing.. Apple says no to WoSign/StartSSL certs (well their intermediate) too Google Groups

     
    Last edited: Oct 4, 2016
    • Informative Informative x 1
  10. eva2000

    eva2000 Administrator Staff Member

    30,882
    6,907
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,400
    Local Time:
    8:39 AM
    Nginx 1.13.x
    MariaDB 5.5
  11. Xon

    Xon Active Member

    134
    57
    28
    Nov 16, 2015
    Ratings:
    +177
    Local Time:
    6:39 AM
    1.13.x
    MariaDB 10.1.x
    Just posted that on xenforo.com too.
     
    • Like Like x 1