ARO Security

Nicholas_Schmidt · May 18, 2015, 4:30pm

I cant find a way to reach out to whoever manages ARO directly so I figure
it would be best to publish this to the list.

We are a group of network operators who are failing at enforcing extremely
basic security in our own applications.

1.) Retrieving an ARO password sends a plain text email of your current
password. Im sure this is minor as its just ARO and none of us would ever
re-use a password in more critical systems.

2.) The SSL cert for secretariat.nanog.org is invalid. It looks to be
trying to use the wildcard for amsl.com

$ openssl s_client -showcerts -connect secretariat.nanog.org:443

CONNECTED(00000003)

depth=0 /OU=Domain Control Validated/CN=*.amsl.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 /OU=Domain Control Validated/CN=*.amsl.com

verify error:num=27:certificate not trusted

verify return:1

depth=0 /OU=Domain Control Validated/CN=*.amsl.com

verify error:num=21:unable to verify the first certificate

verify return:1

Eric_Oosting2 · May 18, 2015, 7:59pm

I cant find a way to reach out to whoever manages ARO directly so I figure
it would be best to publish this to the list.

Nicholas,

It's normally a good idea to email any questions you have to
nanog-support@nanog.org. They should always get you an answer or point you
in the correct direction.

We are a group of network operators who are failing at enforcing extremely

basic security in our own applications.

1.) Retrieving an ARO password sends a plain text email of your current
password. Im sure this is minor as its just ARO and none of us would ever
re-use a password in more critical systems.

This is a known problem and I assure you NANOG is working with their vendor
to address it.

2.) The SSL cert for secretariat.nanog.org is invalid. It looks to be
trying to use the wildcard for amsl.com

I'm curious what is going on, but I wonder if it doesn't have something to
do with the openssl command you've entered below.

When using firefox, chrome, or safari from my laptop and internet explorer
from within a VM, I'm being offered the *.nanog.org wildcard cert, not an
amsl.com cert. I checked a popular online ssl certificate checker and
similarly received the proper certificate.

Are you receiving a certificate error of some type in your browser? If so,
let's take the conversation off of nanog to spare the list.

-e

Bandy_Rush1 · May 18, 2015, 8:40pm

i too get the amsl cert in response to an opelssl cert query with a
bog standard starfield class 2 chain

    % openssl s_client -connect secretariat.nanog.org:443
    CONNECTED(00000003)
    depth=0 /OU=Domain Control Validated/CN=*.amsl.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 /OU=Domain Control Validated/CN=*.amsl.com
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 /OU=Domain Control Validated/CN=*.amsl.com
    verify error:num=21:unable to verify the first certificate
    verify return:1

William_Herrin · May 18, 2015, 8:49pm

Hi Eric,

It does and it doesn't. The following openssl command gets the correct cert:

openssl s_client -servername secretariat.nanog.org -showcerts -connect
secretariat.nanog.org:443

The -servername parameter tells openssl to use the SSL Server Name
Indication extension. This allows multiple HTTPS web sites to live on
the same IP address much as the HTTP 1.1 Host header allowed multiple
regular HTTP web sites to live on the same IP address.

All "modern" web browsers support SNI. "Modern" doesn't go back
terribly far. "Older" implementations of HTTPS will get the wrong
certificate as shown. So, if you want to maximize compatibility, have
a talk with your vendor about a dedicated IP address for your HTTPS
server. Otherwise, make a note in your documentation that SSL clients
must support the SNI extension to use the web site.

Regards,
Bill Herrin

Christopher_Morrow · May 18, 2015, 8:50pm

$ openssl s_client -servername www.nanog.org -connect www.nanog.org:443
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2
Certification Authority
.... stuff....
subject=/OU=Domain Control Validated/CN=*.nanog.org
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure
Certificate Authority - G2
.... stuff .....

(I think you need to send along: -servername)

Bandy_Rush1 · May 18, 2015, 8:54pm

of course, this begs the question of why one would try to go to
https://secretariat.nanog.org/. it is published as a supported web
site?

randy

Bandy_Rush1 · May 18, 2015, 9:05pm

(I think you need to send along: -servername)

point

    % openssl s_client -servername secretariat.nanog.org -connect secretariat.nanog.org:443
    CONNECTED(00000003)
    depth=3 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
    verify error:num=19:self signed certificate in certificate chain
    verify return:0