nanog mailing list archives
Re: ARO Security
From: Eric Oosting <eric.oosting () gmail com>
Date: Mon, 18 May 2015 15:59:49 -0400
On Mon, May 18, 2015 at 12:30 PM, Nicholas Schmidt < nicholas.schmidt () controlgroup com> wrote:
I cant find a way to reach out to whoever manages ARO directly so I figure it would be best to publish this to the list.
Nicholas, It's normally a good idea to email any questions you have to nanog-support () nanog org. They should always get you an answer or point you in the correct direction. We are a group of network operators who are failing at enforcing extremely
basic security in our own applications. 1.) Retrieving an ARO password sends a plain text email of your current password. Im sure this is minor as its just ARO and none of us would ever re-use a password in more critical systems.
This is a known problem and I assure you NANOG is working with their vendor to address it.
2.) The SSL cert for secretariat.nanog.org is invalid. It looks to be trying to use the wildcard for amsl.com
I'm curious what is going on, but I wonder if it doesn't have something to do with the openssl command you've entered below. When using firefox, chrome, or safari from my laptop and internet explorer from within a VM, I'm being offered the *.nanog.org wildcard cert, not an amsl.com cert. I checked a popular online ssl certificate checker and similarly received the proper certificate. Are you receiving a certificate error of some type in your browser? If so, let's take the conversation off of nanog to spare the list. -e
$ openssl s_client -showcerts -connect secretariat.nanog.org:443 CONNECTED(00000003) depth=0 /OU=Domain Control Validated/CN=*.amsl.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /OU=Domain Control Validated/CN=*.amsl.com verify error:num=27:certificate not trusted verify return:1 depth=0 /OU=Domain Control Validated/CN=*.amsl.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/CN=*.amsl.com i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU= http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2
Current thread:
- ARO Security Nicholas Schmidt (May 18)
- Re: ARO Security Eric Oosting (May 18)
- Re: ARO Security Randy Bush (May 18)
- Re: ARO Security Christopher Morrow (May 18)
- Re: ARO Security Randy Bush (May 18)
- Re: ARO Security Randy Bush (May 18)
- Re: ARO Security Randy Bush (May 18)
- Re: ARO Security William Herrin (May 18)
- Re: ARO Security Eric Oosting (May 18)