Do you trust that certificate?
-
Upload
zunda -
Category
Technology
-
view
1.024 -
download
0
Transcript of Do you trust that certificate?
![Page 1: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/1.jpg)
Do you trust that
certificate?
![Page 2: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/2.jpg)
@zundan
![Page 3: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/3.jpg)
@zundan
![Page 4: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/4.jpg)
@zundan
![Page 5: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/5.jpg)
Important!
![Page 6: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/6.jpg)
Introduction to
modern cryptography
![Page 7: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/7.jpg)
www.hyuki.com/cr/
![Page 8: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/8.jpg)
Transport Layer
Security
![Page 9: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/9.jpg)
Secure Socket Layer
![Page 10: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/10.jpg)
TLS/SSL
![Page 11: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/11.jpg)
https://
![Page 12: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/12.jpg)
A web application
![Page 13: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/13.jpg)
Receives requests
![Page 14: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/14.jpg)
Calls external
resources
![Page 15: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/15.jpg)
That handles secret
information
![Page 16: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/16.jpg)
How does app trust
them?
![Page 17: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/17.jpg)
PKI
![Page 18: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/18.jpg)
Public-key infrastructure
![Page 19: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/19.jpg)
Server certificate
![Page 20: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/20.jpg)
Signed by Certificate Authority
![Page 21: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/21.jpg)
Certificate chain
ssl.zunda.ninja:443 |COMODO RSA Validation Secure Server CA |COMODO RSA Certification Authority | |AddTrust External CA Root
![Page 22: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/22.jpg)
One day
![Page 23: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/23.jpg)
Error
![Page 24: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/24.jpg)
Error
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify
![Page 25: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/25.jpg)
I did not change
anything!
![Page 26: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/26.jpg)
but
![Page 27: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/27.jpg)
Something outside
has changed
![Page 28: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/28.jpg)
Error
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify
![Page 29: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/29.jpg)
Certificate chain
ssl.zunda.ninja:443 |[NEW] Some Server CA |[NEW] Some Certification Authority | |[NEW] Unknown CA Root
![Page 30: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/30.jpg)
2014-09 1024 bit
hash
![Page 31: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/31.jpg)
2015-09 SHA-1
![Page 32: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/32.jpg)
Replace with new
certs
![Page 33: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/33.jpg)
On new CA certs
![Page 34: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/34.jpg)
That app does not
know
![Page 35: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/35.jpg)
Certificate chain
ssl.zunda.ninja:443 |[NEW] Some Server CA |[NEW] Some Certification Authority | |[????]
![Page 36: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/36.jpg)
Error
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify
![Page 37: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/37.jpg)
So ...
![Page 38: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/38.jpg)
$ bundle update
![Page 39: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/39.jpg)
well ...
![Page 40: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/40.jpg)
Include new CA
cert in app
![Page 41: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/41.jpg)
Monkey patch to
use it
![Page 42: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/42.jpg)
Net::HTTP
module Net class HTTP alias_method :original_use_ssl=, :use_ssl=
def use_ssl=(flag) self.ca_file = File.dirname(__FILE__) + \ '/../../certs/cacert.pem' self.verify_mode = OpenSSL::SSL::VERIFY_PEER self.original_use_ssl = flag end endend
![Page 43: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/43.jpg)
ActiveMerchant
module ActiveMerchant class Connection def configure_ssl(http) return unless endpoint.scheme == "https" http.use_ssl = true if verify_peer http.verify_mode = OpenSSL::SSL::VERIFY_PEER http.ca_file = File.dirname(__FILE__) + \ '/../../certs/cacert.pem' else http.verify_mode = OpenSSL::SSL::VERIFY_NONE end end endend
![Page 44: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/44.jpg)
System's CA certs
![Page 45: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/45.jpg)
Where are they?
![Page 46: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/46.jpg)
System's certs
$ openssl version -dOPENSSLDIR: "/usr/lib/ssl"
$ ls /usr/lib/sslcerts@ misc/ openssl.cnf@ private@
$ ls -l /usr/lib/ssl/certs... /usr/lib/ssl/certs -> /etc/ssl/certs/
![Page 47: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/47.jpg)
openssl/ssl.rb
If the verify_mode is not VERIFY_NONE and ca_file, ca_path and cert_store are not set then the system default certificate store is used.
![Page 48: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/48.jpg)
openssl/ssl.rb
module OpenSSL module SSL class SSLContext def set_params(params={}) # snip if self.verify_mode != OpenSSL::SSL::VERIFY_NONE unless self.ca_file or self.ca_path or self.cert_store self.cert_store = OpenSSL::X509::Store.new end end return params end end endend
![Page 49: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/49.jpg)
System's certs
module ActiveMerchant class Connection def configure_ssl(http) return unless endpoint.scheme == "https" http.use_ssl = true if verify_peer http.verify_mode = OpenSSL::SSL::VERIFY_PEER http.ca_path = nil http.ca_file = nil else http.verify_mode = OpenSSL::SSL::VERIFY_NONE end end endend
![Page 50: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/50.jpg)
Anyway
![Page 51: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/51.jpg)
Remember what we
trust
![Page 52: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/52.jpg)
What are coming?
![Page 53: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/53.jpg)
2016-06-01
![Page 54: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/54.jpg)
Symantec certs on Google
products?
![Page 55: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/55.jpg)
Will there be
updates?
![Page 56: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/56.jpg)
On Ubuntu:
2013-01-19
2013-06-10
2013-09-06
2014-03-25
2014-10-19
2015-04-26 launchpad - ca-certificates
![Page 57: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/57.jpg)
On ActiveMerchant2007-03-03
2011-09-15
2015-01-16 activemerchant - active_merchant
![Page 58: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/58.jpg)
Remember and be
prepared!
![Page 59: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/59.jpg)
Once more
![Page 60: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/60.jpg)
www.hyuki.com/cr/
![Page 61: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/61.jpg)
CRL
![Page 62: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/62.jpg)
Certificate Revocation
List
![Page 63: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/63.jpg)
How are we
updating this?
![Page 64: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/64.jpg)
SSL and TLS1.0 will be
disabled
![Page 65: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/65.jpg)
PCI Compliance
![Page 66: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/66.jpg)
Payment Card
Industry
![Page 67: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/67.jpg)
Remember what we
trust
![Page 68: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/68.jpg)
URLs
暗号技術入門Phasing out Certificates with 1024-bit RSA Keys
SHA-1
AWS to Switch to SHA256 Hash Algorithm for SSL Certificates
Sustaining Digital Certificate Security
![Page 69: Do you trust that certificate?](https://reader033.fdocuments.us/reader033/viewer/2022050614/58f20a341a28ab37048b45dd/html5/thumbnails/69.jpg)
CC BY-ND 4.0Presented as a lightning talk in RubyKaigi 2015 on 2015-12-12
Copyright 2015 by zunda <[email protected]>