[DBWG] Nonconformant X.509 issuer+subject names in almost all Afrinic RPKI CA/EE certs?

Yogesh Chadee yogesh at afrinic.net
Fri Mar 15 14:29:15 UTC 2024 

Hello all,

We want to provide an update on the RPKI nonconformant X.509 
issuer+subject name issue.

As background information, this issue emerged after upgrading our RPKI 
system in 2022. Later, we narrowed down the cause of the issue to an 
updated OpenSSL config which emitted UTF8String by default, instead of 
PrintableString, as pointed out in this mail thread.

We applied a fix in the signing process but that did not automatically 
ensure that existing objects became conformant.

Further investigation and tests have been undertaken to ensure full 
conformity, and we have identified a fix that requires rekeying the 
hosted CAs that issued the current nonconformant End Entity Certificates 
(with nonconformant X.509 issuer+subject names).

We are planning maintenance of the affected hosted CAs in batches, 
starting Thursday 21st March 2024, for around 3 weeks. Batching is to 
minimise the risks posed by doing them in bulk due to the large number 
of affected EEs.

We do not expect any disruptions for Resource Members using AFRINIC’s 
RPKI services. For members with a large number of EE certs under their 
CA, we will have further special consideration in the process to avoid 
inconsistencies on the publication points.

The maintenance schedule and status will be updated on our status page 
[https://status.afrinic.net/] and we will also keep you informed once 
the exercise is completed.

Regards,
AFRINIC

On 28/02/2024 11:21, Yogesh Chadee via DBWG wrote:
> Dear Job,
>
> Thank you for pointing this out and even finding the solutions on all 
> fronts. We are looking into this information and will get back to you 
> and the group soon.
>
> Regards,
>
> Yogesh
>
> On 27/02/2024 23:41, Job Snijders wrote:
>> Dear Afrinic,
>>
>> On Tue, Feb 27, 2024 at 07:50:39PM +0100, Job Snijders wrote:
>>> Perhaps adding "string_mask = nombstr" to the "[req]" section of the
>>> openssl.cnf file pointed to by the '-config' CLI option is sufficient
>>> to - going forward - only emit PrintableString instead of UTF8String.
>>>
>>> https://www.openssl.org/docs/man3.0/man1/openssl-req.html#string_mask
>> Perhaps I found the root cause! It turns out the above documentation
>> contains errors. The 'default' value is not the default option, utf8only
>> is the actual default value :-)
>>
>> I submitted a fix to the OpenSSL project to clarify what the software
>> really does: https://github.com/openssl/openssl/pull/23699
>>
>> In any case, using 'nombstr' should trigger the desired behavior of
>> emitting PrintableString in accordance with the RPKI specifications.
>>
>> Kind regards,
>>
>> Job
>
> _______________________________________________
> DBWG mailing list
> DBWG at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/dbwg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/dbwg/attachments/20240315/dbf68eb3/attachment.html>

More information about the DBWG mailing list