[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #22460 [Core Tor/Tor]: Received a bad CERTS cell: Link certificate does not match TLS certificate
#22460: Received a bad CERTS cell: Link certificate does not match TLS certificate
-------------------------------------------------+-------------------------
Reporter: teor | Owner:
Type: defect | Status: new
Priority: High | Milestone: Tor:
| 0.3.1.x-final
Component: Core Tor/Tor | Version:
Severity: Major | Resolution:
Keywords: tor-relay certs handshake ed25519 | Actual Points:
needs-analysis 030-backport |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by nickm):
Replying to [comment:18 arma]:
> {{{
> May 31 15:20:00.993 [info] channel_tls_process_versions_cell():
Negotiated version 4 with 78.52.211.211:443; Sending cells: CERTS
> May 31 15:20:00.993 [info] rsa_ed25519_crosscert_check(): Received a bad
RSA->Ed25519 crosscert: Crosscert is expired
> May 31 15:20:00.993 [info] or_handshake_certs_ed25519_ok(): Received a
bad CERTS cell: Invalid RSA->Ed25519 crosscert
> May 31 15:20:00.993 [info] channel_tls_process_certs_cell(): Received a
bad CERTS cell from 78.52.211.211:443: Invalid certificate chain!
> May 31 15:20:00.993 [info] dump_certs_cell(): certificate 3/5: type 4,
body
0104000658E501A85A541FF2B5D4FBC156155D939779733E3AB55E8607D99942D470EBA1E79D96010020040006232608577AC3AF530DF8B046C51722C0C9529C5C98557F5515ACEB195ABCF0824974D7B657073ACEBB35EC2B12C0DA6BC3E602A7AAB3F8523633E073CFAD3E099100B33C9B5DBA09346D5CADD577A0216E0A09BF7895534B01566DBB796907
> ...
> }}}
This is the master cert; it says that the master ID key is
06232608577AC3AF530DF8B046C51722C0C9529C5C98557F5515ACEB195ABCF0, and that
the current signing key is
A85A541FF2B5D4FBC156155D939779733E3AB55E8607D99942D470EBA1E79D96. The
expiration type is 3600 * 0x000658E5, or Jun 15 at 5 am.
> {{{
> ...
> May 31 15:20:00.993 [info] dump_certs_cell(): certificate 5/5: type 7,
body
06232608577AC3AF530DF8B046C51722C0C9529C5C98557F5515ACEB195ABCF00001563180463B800A78747A0759A51E037CA30C5253F5CAE555B8B3E9C50520FC3C72259E50339FA76474BC6A693043E443BDEA73F82A82CD94FD550945E9690BC610DB1938E12926781D37B5E72BB0F1991ACD376F45D29B9B8837CC49F5A128130CD553017BF1A4CE9770EE694403F9CE9E9A3C362EC59142B42DC3982A17653ABB64C5
> }}}
This one is the RSA->Ed crosscert. The signed key is
06232608577AC3AF530DF8B046C51722C0C9529C5C98557F5515ACEB195ABCF0, which is
what we had hoped for. But the expiration date here is 0x15631 * 3600 ==
1979, Dec 30, 1am! That's very wrong.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22460#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs