search

OWASP / O-Saft

O-Saft - OWASP SSL advanced forensic tool
GNU General Public License v2.0
373 stars 86 forks source link

A few questions about wildcard certificate #64

Closed fredomgc closed 7 years ago

fredomgc commented 7 years ago

I have a few questions about wildcard certificate (I am not sure, if I encountered bug or expected behaviour).

When I run ./o-saft.pl +check google.com

it outputs following:

... Connected hostname matches certificate's subject: no (google.com <> *.google.com) ^^ Is this bug or expected behaviour? Hostname actually matches certificate's subject, because of wildcard certificate.

... Certificate's wildcard does not match hostname: yes ^^ Is this bug? Hostname matches certificate's subject, so answer should be "no". ^^ Also, according to the documentation, "The idea is to report yes if the result is considered "secure"". But is it secure result, when hostname does NOT match certificate?

EnDe commented 7 years ago

This is expected and documented behaviour, please see https://www.owasp.org/index.php/O-Saft/Documentation#.2Bcheck or off-site o-saft.pl --help=RESULTS

Brief explanation certificates with wildcard CN, Subject and/or SubjectAltName are bad or even insecure practice for secure application, however it's common practice to use them for example in CDNs. Some standards, like BSI TR-03116-4, do not allow wildcards at all. We are aware about this, hence these two checks and their probably misleading result(s) are documented.

Technically some.tld does never match .some.tld, wether as regex nor in sence of a certificate wildcard. That's why "Connected hostname matches ..." is no. The same applies to "Certificate's wildcard does not match ...". Things are a little bit different for whatever.some.tld and .some.tld.

Please look at following example (valid 17. Febr. 2017): o-saft.pl --tracekey --noheader +cn +hostname +wildhost google.com #[cn]: Certificate Common Name: *.google.com #[hostname]: Connected hostname matches certificate's subject: no (google.com <> *.google.com) #[wildhost]: Certificate's wildcard does not match hostname: yes and: o-saft.pl --tracekey --noheader +cn +hostname +wildhost mail.google.com #[cn]: Certificate Common Name: mail.google.com #[hostname]: Connected hostname matches certificate's subject: yes #[wildhost]: Certificate's wildcard does not match hostname: yes

If there is a need to improve the documentaion, I'm happy get more feedback.