search

microsoft / referencesource

Source from the Microsoft .NET Reference Source that represent a subset of the .NET Framework
https://referencesource.microsoft.com/
MIT License
3.13k stars 1.26k forks source link

https://sourceof.net/ incorrect X.509 certificate #189

Open KalleOlaviNiemitalo opened 1 year ago

KalleOlaviNiemitalo commented 1 year ago

https://sourceof.net/ used to redirect to https://referencesource.microsoft.com/, but it now returns a certificate that is not valid for sourceof.net. According to its X509v3 Subject Alternative Name extension, the certificate is only valid for *.oneroute.microsoft.com and oneroute.microsoft.com.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            33:00:ad:23:7d:08:88:dc:2b:ee:99:c8:34:00:00:00:ad:23:7d
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C = US, O = Microsoft Corporation, CN = Microsoft Azure TLS Issuing CA 01
        Validity
            Not Before: May 24 10:48:49 2023 GMT
            Not After : May 18 10:48:49 2024 GMT
        Subject: C = US, ST = WA, L = Redmond, O = Microsoft Corporation, CN = *.oneroute.microsoft.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c4:3a:a1:2f:8f:d7:30:2d:9c:0d:05:67:ca:c3:
                    f3:60:b1:b1:63:cc:f7:d3:96:10:f3:e0:6d:17:b2:
                    f6:4e:fe:cd:10:95:14:fa:e8:fe:f4:0c:c3:05:57:
                    eb:93:58:03:88:ab:95:3f:06:af:86:8d:59:dc:e1:
                    75:21:78:2c:3d:d6:4d:a4:fa:bf:5f:77:f3:c5:4e:
                    5c:47:a7:84:6f:1f:81:66:65:2b:72:94:f2:86:07:
                    9f:08:3a:66:2d:5b:8a:ce:31:1a:9a:44:d5:38:40:
                    0c:34:71:68:5b:1b:c3:71:bd:1f:9b:5d:df:ca:22:
                    c2:44:ce:47:08:3c:9d:ce:52:43:5a:67:2a:61:f1:
                    e9:26:73:bb:a4:fe:9b:e5:39:4c:1a:de:eb:8a:d5:
                    e0:b5:26:57:37:02:91:5a:c3:59:c5:44:76:8f:a6:
                    14:86:4d:ba:a0:94:16:a5:10:12:cb:a9:18:08:d9:
                    0f:6b:02:69:95:18:92:3c:54:84:69:18:28:6b:f6:
                    7e:80:4a:72:bc:ea:2d:28:41:44:af:71:08:c0:87:
                    6f:ee:0a:89:04:47:ef:63:8f:ab:33:48:cf:58:83:
                    2e:43:1e:73:47:47:ab:db:23:ac:1b:e6:d5:03:c5:
                    cc:35:9e:f2:3f:9b:6f:8b:cc:31:1b:fc:05:6b:c5:
                    00:f1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 76:FF:88:3F:0A:B6:FB:95:51:C2:61:CC:F5:87:BA:34:
                                B4:A4:CD:BB:29:DC:68:42:0A:9F:E6:67:4C:5A:3A:74
                    Timestamp : May 24 10:59:44.766 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:9F:79:B5:C1:7F:81:D0:0C:8F:30:EB:
                                0B:B9:DA:05:C3:FD:B5:B2:5F:5A:B4:EB:90:DC:0E:7B:
                                34:88:49:84:70:02:21:00:D9:72:B0:D9:ED:55:13:27:
                                57:5D:38:DF:C7:91:FB:2F:4F:79:B9:FD:C6:6B:C8:F2:
                                02:EA:32:96:F9:0B:D6:92
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : DA:B6:BF:6B:3F:B5:B6:22:9F:9B:C2:BB:5C:6B:E8:70:
                                91:71:6C:BB:51:84:85:34:BD:A4:3D:30:48:D7:FB:AB
                    Timestamp : May 24 10:59:44.733 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:E5:FB:78:BD:A7:DF:B6:E9:2E:C8:20:
                                56:9F:BB:9C:51:5E:36:F0:35:C2:C8:E9:58:64:26:84:
                                47:F6:34:66:7A:02:21:00:9F:82:23:CF:0B:0F:A0:74:
                                0F:F7:B8:2B:E2:AC:9A:36:56:02:47:9D:B5:A7:10:9A:
                                C2:9F:2B:BC:43:27:BD:EC
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:
                                32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B
                    Timestamp : May 24 10:59:44.684 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:E5:ED:39:A8:59:47:1D:FE:98:A8:4E:
                                FB:02:90:2D:1B:73:1E:25:B7:56:62:25:9C:DC:00:5B:
                                46:5E:90:6E:15:02:21:00:88:4B:C8:E0:80:EE:78:1F:
                                B9:77:52:58:D8:46:37:7D:1E:49:74:69:78:F0:FB:40:
                                05:AF:7F:72:47:DF:0D:DE
            1.3.6.1.4.1.311.21.10:
                0.0
..+.......0
..+.......
            1.3.6.1.4.1.311.21.7:
                0-.%+.....7.........F...........]...i...>..d..&
            Authority Information Access:
                CA Issuers - URI:http://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2001%20-%20xsign.crt
                OCSP - URI:http://oneocsp.microsoft.com/ocsp

            X509v3 Subject Key Identifier:
                1D:A8:FD:F0:7C:0A:EC:6D:D5:4D:E0:23:67:CF:9E:62:80:0C:57:48
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:*.oneroute.microsoft.com, DNS:oneroute.microsoft.com
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20TLS%20Issuing%20CA%2001.crl

            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.311.76.509.1.1
                  CPS: http://www.microsoft.com/pkiops/Docs/Repository.htm
                Policy: 2.23.140.1.2.2

            X509v3 Authority Key Identifier:
                keyid:0F:20:5D:D7:A1:57:95:DB:92:CF:2B:D0:C7:C2:77:04:CE:72:80:76

            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
    Signature Algorithm: sha384WithRSAEncryption
         43:0f:80:73:1c:5e:f2:9f:d5:f1:c3:b3:47:4d:68:d1:40:33:
         b2:cb:01:da:33:93:b6:68:fe:dc:9b:ae:db:8f:28:6a:73:16:
         99:7f:46:68:43:42:5b:6a:e3:6f:39:70:7c:ff:e7:c0:4f:8e:
         e3:cc:60:88:58:93:02:72:b5:cb:a7:08:14:3f:f7:14:e2:e5:
         f5:de:88:56:18:bb:66:b2:a7:d6:e2:9a:0b:cc:3d:ae:6b:26:
         46:2f:5f:cf:5d:85:99:f0:86:df:85:4a:b7:6c:e7:2d:4a:fa:
         ca:ed:2e:56:d4:80:2b:1c:26:03:69:1d:31:2a:4f:b1:08:62:
         7e:f7:e0:8c:21:3b:4d:67:a8:2e:f0:2a:2f:34:07:fb:76:76:
         ce:e8:90:9e:4b:2b:1e:1f:51:5e:e5:a0:f9:de:5a:96:71:57:
         2e:4d:2c:fe:7d:11:3f:06:b6:4b:5d:9d:60:1a:44:d1:30:2f:
         2f:37:07:30:f7:26:82:0d:b3:64:1e:c1:11:70:a2:21:d6:8c:
         59:f0:0e:b1:bd:c1:91:96:19:86:04:51:b2:ae:03:5e:66:ff:
         a6:f2:9d:25:da:e3:84:1d:f7:9b:55:48:f6:c3:96:79:2b:55:
         13:67:ba:aa:37:d6:66:8e:8d:07:ff:15:3f:29:e6:3a:c1:13:
         8d:61:43:cc:46:ed:26:75:b1:bb:68:e1:e8:49:89:a5:b1:87:
         0a:2a:5e:e7:e5:91:60:74:54:46:50:ed:df:44:45:18:b4:49:
         de:fd:00:e3:a7:6b:ea:66:79:9f:e1:56:4f:a7:31:32:2b:6c:
         ea:20:46:2c:d6:b4:e1:2a:70:6d:30:c4:e5:9b:2a:15:68:48:
         c8:f5:8c:55:07:9f:64:b8:10:3b:ca:dc:90:15:91:45:8b:26:
         a8:d4:9f:4a:a6:1e:56:ce:25:82:b2:ea:e2:9d:95:2d:65:d3:
         a3:b1:53:cb:ce:50:26:9a:5e:27:61:e5:dc:02:cb:62:2c:f2:
         be:47:9f:37:65:0c:de:be:04:ec:5f:cc:9d:4e:e9:2c:77:92:
         f6:f1:ec:41:0d:35:de:5c:e3:1a:d1:2b:d4:7a:a3:29:3d:7d:
         1e:e1:a7:2f:19:ab:3e:ad:a2:cc:2d:a9:0b:be:0c:b9:b0:6b:
         64:d4:f5:95:5a:58:b2:c5:fd:b7:46:60:9c:71:60:a8:34:9e:
         3c:8b:63:d7:82:eb:d6:8c:05:d7:ba:6d:69:0b:15:28:67:a5:
         2e:ca:0f:95:7b:a4:29:c5:02:c3:35:34:de:f7:40:b1:5d:e3:
         47:03:7b:c2:39:f0:eb:3e:29:9e:66:e6:9c:92:d6:03:1a:1b:
         27:b3:33:83:eb:fc:c4:7f
-----BEGIN CERTIFICATE-----
MIIIgDCCBmigAwIBAgITMwCtI30IiNwr7pnINAAAAK0jfTANBgkqhkiG9w0BAQwF
ADBZMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u
MSowKAYDVQQDEyFNaWNyb3NvZnQgQXp1cmUgVExTIElzc3VpbmcgQ0EgMDEwHhcN
MjMwNTI0MTA0ODQ5WhcNMjQwNTE4MTA0ODQ5WjBvMQswCQYDVQQGEwJVUzELMAkG
A1UECBMCV0ExEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBD
b3Jwb3JhdGlvbjEhMB8GA1UEAwwYKi5vbmVyb3V0ZS5taWNyb3NvZnQuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxDqhL4/XMC2cDQVnysPzYLGx
Y8z305YQ8+BtF7L2Tv7NEJUU+uj+9AzDBVfrk1gDiKuVPwavho1Z3OF1IXgsPdZN
pPq/X3fzxU5cR6eEbx+BZmUrcpTyhgefCDpmLVuKzjEamkTVOEAMNHFoWxvDcb0f
m13fyiLCRM5HCDydzlJDWmcqYfHpJnO7pP6b5TlMGt7ritXgtSZXNwKRWsNZxUR2
j6YUhk26oJQWpRASy6kYCNkPawJplRiSPFSEaRgoa/Z+gEpyvOotKEFEr3EIwIdv
7gqJBEfvY4+rM0jPWIMuQx5zR0er2yOsG+bVA8XMNZ7yP5tvi8wxG/wFa8UA8QID
AQABo4IEKTCCBCUwggGBBgorBgEEAdZ5AgQCBIIBcQSCAW0BawB3AHb/iD8KtvuV
UcJhzPWHujS0pM27KdxoQgqf5mdMWjp0AAABiE1qL/4AAAQDAEgwRgIhAJ95tcF/
gdAMjzDrC7naBcP9tbJfWrTrkNwOezSISYRwAiEA2XKw2e1VEydXXTjfx5H7L095
uf3Ga8jyAuoylvkL1pIAdwDatr9rP7W2Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7
qwAAAYhNai/dAAAEAwBIMEYCIQDl+3i9p9+26S7IIFafu5xRXjbwNcLI6VhkJoRH
9jRmegIhAJ+CI88LD6B0D/e4K+KsmjZWAkedtacQmsKfK7xDJ73sAHcA7s3QZNXb
Gs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGITWovrAAABAMASDBGAiEA5e05
qFlHHf6YqE77ApAtG3MeJbdWYiWc3ABbRl6QbhUCIQCIS8jggO54H7l3UljYRjd9
Hkl0aXjw+0AFr39yR98N3jAnBgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoG
CCsGAQUFBwMBMDwGCSsGAQQBgjcVBwQvMC0GJSsGAQQBgjcVCIe91xuB5+tGgoGd
Lo7QDIfw2h1dgoTlaYLzpz4CAWQCASYwga4GCCsGAQUFBwEBBIGhMIGeMG0GCCsG
AQUFBzAChmFodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01p
Y3Jvc29mdCUyMEF6dXJlJTIwVExTJTIwSXNzdWluZyUyMENBJTIwMDElMjAtJTIw
eHNpZ24uY3J0MC0GCCsGAQUFBzABhiFodHRwOi8vb25lb2NzcC5taWNyb3NvZnQu
Y29tL29jc3AwHQYDVR0OBBYEFB2o/fB8Cuxt1U3gI2fPnmKADFdIMA4GA1UdDwEB
/wQEAwIFoDA7BgNVHREENDAyghgqLm9uZXJvdXRlLm1pY3Jvc29mdC5jb22CFm9u
ZXJvdXRlLm1pY3Jvc29mdC5jb20wDAYDVR0TAQH/BAIwADBkBgNVHR8EXTBbMFmg
V6BVhlNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3Nv
ZnQlMjBBenVyZSUyMFRMUyUyMElzc3VpbmclMjBDQSUyMDAxLmNybDBmBgNVHSAE
XzBdMFEGDCsGAQQBgjdMg30BATBBMD8GCCsGAQUFBwIBFjNodHRwOi8vd3d3Lm1p
Y3Jvc29mdC5jb20vcGtpb3BzL0RvY3MvUmVwb3NpdG9yeS5odG0wCAYGZ4EMAQIC
MB8GA1UdIwQYMBaAFA8gXdehV5Xbks8r0MfCdwTOcoB2MB0GA1UdJQQWMBQGCCsG
AQUFBwMCBggrBgEFBQcDATANBgkqhkiG9w0BAQwFAAOCAgEAQw+Acxxe8p/V8cOz
R01o0UAzsssB2jOTtmj+3Juu248oanMWmX9GaENCW2rjbzlwfP/nwE+O48xgiFiT
AnK1y6cIFD/3FOLl9d6IVhi7ZrKn1uKaC8w9rmsmRi9fz12FmfCG34VKt2znLUr6
yu0uVtSAKxwmA2kdMSpPsQhifvfgjCE7TWeoLvAqLzQH+3Z2zuiQnksrHh9RXuWg
+d5alnFXLk0s/n0RPwa2S12dYBpE0TAvLzcHMPcmgg2zZB7BEXCiIdaMWfAOsb3B
kZYZhgRRsq4DXmb/pvKdJdrjhB33m1VI9sOWeStVE2e6qjfWZo6NB/8VPynmOsET
jWFDzEbtJnWxu2jh6EmJpbGHCipe5+WRYHRURlDt30RFGLRJ3v0A46dr6mZ5n+FW
T6cxMits6iBGLNa04SpwbTDE5ZsqFWhIyPWMVQefZLgQO8rckBWRRYsmqNSfSqYe
Vs4lgrLq4p2VLWXTo7FTy85QJppeJ2Hl3ALLYizyvkefN2UM3r4E7F/MnU7pLHeS
9vHsQQ013lzjGtEr1HqjKT19HuGnLxmrPq2izC2pC74MubBrZNT1lVpYssX9t0Zg
nHFgqDSePItj14Lr1owF17ptaQsVKGelLsoPlXukKcUCwzU03vdAsV3jRwN7wjnw
6z4pnmbmnJLWAxobJ7Mzg+v8xH8=
-----END CERTIFICATE-----
KalleOlaviNiemitalo commented 1 year ago

Reproduces with Mozilla Firefox 102.12.0esr, and with Microsoft Edge 114.0.1823.41.

KalleOlaviNiemitalo commented 1 year ago

Reported to refsrcfeedback@microsoft.com as well.

mairaw commented 1 year ago

@terrajobst @chrissfanos do you know who handles the certificates for that site sourceof.net?

ChrisSfanos commented 1 year ago

unfortunately no. And double bummer it's not one of the two sites we are taking ownership of

terrajobst commented 1 year ago

I believe I bought that domain a long time ago, even before we did .NET Core and transferred that domain to Microsoft. I was sure @ChrisSfanos would know about it.

@richlander any idea who else would know about this?

ChrisSfanos commented 1 year ago

So I know about the domain, but I can't find any record of the certificate (I checked and I couldn't find anything in SSLAdmin), which is what I was hunting for.

KalleOlaviNiemitalo commented 1 year ago

Now I'm not sure whether the site ever had a certificate for sourceof.net. The announcement at https://devblogs.microsoft.com/dotnet/how-your-feedback-is-shaping-net/ links to http://sourceof.net/ (which works fine, no HSTS) rather than https://sourceof.net/.