wget-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: wget2 | information leak with ocsp validation (#664)

From: frigo (@freedge1)
Subject: Re: wget2 | information leak with ocsp validation (#664)
Date: Sun, 12 May 2024 19:17:11 +0000 


frigo commented: https://gitlab.com/gnuwget/wget2/-/issues/664#note_1901845410


I've never seen multi-stapling used anywhere. https://gitlab.com/ returns a 
stapled certificate

```
$ openssl s_client -connect gitlab.com:443 -status
Connecting to 172.65.251.78
CONNECTED(00000003)
depth=2 C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, 
CN=USERTrust RSA Certification Authority
verify return:1
depth=1 C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo 
RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN=gitlab.com
verify return:1
OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: 8D8C5EC454AD8AE177E99BF99B05E1B8018D61E1
    Produced At: May 10 18:54:28 2024 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 430BD20E4F137A1A6C918F24E5DA7E324D4733C8
      Issuer Key Hash: 8D8C5EC454AD8AE177E99BF99B05E1B8018D61E1
      Serial Number: 68F6E556F64B6E907F5693AE399EFF47
    Cert Status: good
    This Update: May 10 18:54:28 2024 GMT
    Next Update: May 17 18:54:27 2024 GMT

    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        79:a9:b1:ce:70:83:29:99:29:f3:6d:04:e6:21:b3:86:ed:ec:
        c5:30:21:26:38:9c:f4:66:4b:59:0c:97:9d:a4:86:09:77:74:
        e0:51:7a:78:fe:39:9f:9f:a7:f3:c6:53:0c:aa:1b:e3:34:c5:
        73:ea:f3:7a:20:c8:85:ce:a7:a4:c9:6c:66:ae:25:86:da:30:
        d1:91:63:99:9b:b2:1e:07:d7:a9:31:96:40:9c:bd:e0:da:54:
        a4:bc:05:59:4d:32:86:5f:e6:bb:79:90:cf:21:5b:0a:a6:ee:
        40:0a:fb:04:60:6c:0f:30:5c:d9:fc:79:d7:77:59:74:dd:cc:
        b8:e5:fd:01:5c:35:cf:5f:32:3f:ae:6b:13:34:cb:ac:3b:62:
        82:b4:91:68:6e:f0:f4:67:a5:3a:48:86:3e:d6:7a:c7:c4:c0:
        a6:d2:4c:7a:6c:43:5b:2c:47:56:6a:d4:51:10:d4:c4:73:3f:
        4e:39:72:d6:82:d8:cf:df:aa:09:0c:0e:28:37:ac:6c:d6:b4:
        37:71:93:59:2e:f9:a0:c8:1e:64:32:bd:0e:9f:2b:51:43:21:
        26:dc:36:ce:63:32:f2:71:78:a5:12:57:d6:6b:1b:d9:ac:67:
        5e:d5:e1:f4:2c:22:f4:a3:c7:7b:0d:48:cd:03:c1:76:20:42:
        e5:aa:b6:81
======================================
---
Certificate chain
 0 s:CN=gitlab.com
   i:C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA 
Domain Validation Secure Server CA
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Apr 12 00:00:00 2024 GMT; NotAfter: May 11 23:59:59 2025 GMT
 1 s:C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA 
Domain Validation Secure Server CA
   i:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust 
RSA Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
   v:NotBefore: Nov  2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 2030 GMT
 2 s:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust 
RSA Certification Authority
   i:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust 
RSA Certification Authority
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
   v:NotBefore: Feb  1 00:00:00 2010 GMT; NotAfter: Jan 18 23:59:59 2038 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
...
```

-- 
Reply to this email directly or view it on GitLab: 
https://gitlab.com/gnuwget/wget2/-/issues/664#note_1901845410
You're receiving this email because of your account on gitlab.com.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]