TMCH: HIGHLY Insecure SSL config / certificates.
All, it seems like the TMCH has rolled out a new certificate on the various marksdb.org interfaces. Besides the fact that the certificate now uses an intermediate cert that was not delivered with the chain (and hence made our TLS connect fail initially), we took a look at the general TLS configuration of the interfaces, and it seems that the TLS configuration is HIGHLY insecure at the moment: https://www.ssllabs.com/ssltest/analyze.html?d=ry.marksdb.org (see "Protocol Details") Could someone from the TMCH indicate whether they are working on fixing these serious issues? Thanks, Alex
On Fri, Jun 26, 2015 at 08:13:02AM +0000, Alexander Mayrhofer <alexander.mayrhofer@nic.at> wrote a message of 17 lines which said:
the TLS configuration is HIGHLY insecure at the moment:
Just the day after the release of RFC 7568, how ironic :-) SSLv3 + RC4, a nice combo :-)
On 26.06.2015 10:13, Alexander Mayrhofer wrote:
All,
it seems like the TMCH has rolled out a new certificate on the various marksdb.org interfaces. Besides the fact that the certificate now uses an intermediate cert that was not delivered with the chain (and hence made our TLS connect fail initially)[...}
Thanks, Alex
Hi all, we noticed the missing intermediate certificate on the test and production systems yesterday evening (and informed IBM about that). From our perspective, it is not the right way that the clients (i.e. the registries) include the intermediate certificate into their trust stores, but that the server delivers it with its own certificate, as the former would defeat the idea behind the chain of trust. Regards, Klaus -- ___________________________________________________________________________ | | | knipp | Knipp Medien und Kommunikation GmbH ------- Technologiepark Martin-Schmeißer-Weg 9 44227 Dortmund Geschäftsführer: Registereintrag: Dietmar Knipp, Elmar Knipp Amtsgericht Dortmund, HRB 13728 Kontaktdaten/contact data via http://klaus.tel
I've escalated this and will make sure this gets fixed asap. Wim Fabri IBM Belgium Integrated Technology Services. From: Alexander Mayrhofer <alexander.mayrhofer@nic.at> To: "gtld-tech@icann.org" <gtld-tech@icann.org> Date: 26/06/2015 10:14 Subject: [gtld-tech] TMCH: HIGHLY Insecure SSL config / certificates. Sent by: gtld-tech-bounces@icann.org All, it seems like the TMCH has rolled out a new certificate on the various marksdb.org interfaces. Besides the fact that the certificate now uses an intermediate cert that was not delivered with the chain (and hence made our TLS connect fail initially), we took a look at the general TLS configuration of the interfaces, and it seems that the TLS configuration is HIGHLY insecure at the moment: https://www.ssllabs.com/ssltest/analyze.html?d=ry.marksdb.org (see "Protocol Details") Could someone from the TMCH indicate whether they are working on fixing these serious issues? Thanks, Alex Tenzij hierboven anders aangegeven: / Sauf indication contraire ci-dessus: / Unless otherwise stated above: International Business Machines of Belgium sprl / bvba Siège social / Maatschappelijke zetel: Avenue du Bourget 42 Bourgetlaan, B-1130 Bruxelles/Brussel N° d'entreprise / Ondernemingsnr: TVA / BTW BE 0405 912 336 RPM Bruxelles / RPR Brussel
participants (4)
-
Alexander Mayrhofer -
Klaus Malorny -
Stephane Bortzmeyer -
Wim Fabri