<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p data-pm-slice="1 1 []">Hello all,</p>
<p>We want to provide an update on the RPKI nonconformant X.509
issuer+subject name issue. </p>
<p>As background information, this issue emerged after upgrading our
RPKI system in <span class="fabric-editor-annotation"
data-mark-type="annotation"
data-mark-annotation-type="inlineComment"
data-id="87e8d974-177a-4ab7-8c52-2b26ba0f278d">2022</span>.
Later, we narrowed down the cause of the issue to an updated
OpenSSL config which emitted UTF8String by default, instead of
PrintableString, as pointed out in this mail thread. </p>
<p>We applied a fix in the signing process but that did not
automatically ensure that existing objects became conformant. </p>
<p>Further investigation and tests have been undertaken to ensure
full conformity, and we have identified a fix that requires
rekeying the hosted CAs that issued the current nonconformant End
Entity Certificates (with nonconformant X.509 issuer+subject
names). </p>
<p>We are planning maintenance of the affected hosted CAs in
batches, starting Thursday 21st March 2024, for around 3 weeks.
Batching is to minimise the risks posed by doing them in bulk due
to the large number of affected EEs. </p>
<p>We do not expect any disruptions for Resource Members using
AFRINIC’s RPKI services. For members with a large number of EE
certs under their CA, we will have further special consideration
in the process to avoid inconsistencies on the publication points.
</p>
<p>The maintenance schedule and status will be updated on our status
page [<a class="moz-txt-link-freetext" href="https://status.afrinic.net/">https://status.afrinic.net/</a>] and we will also keep you
informed once the exercise is completed.</p>
<p></p>
<p>Regards,<br>
AFRINIC</p>
<p></p>
<div class="moz-cite-prefix">On 28/02/2024 11:21, Yogesh Chadee via
DBWG wrote:<br>
</div>
<blockquote type="cite"
cite="mid:9dc9874f-55c5-4a28-a0ad-1dd65e4be840@afrinic.net">Dear
Job,
<br>
<br>
Thank you for pointing this out and even finding the solutions on
all fronts. We are looking into this information and will get back
to you and the group soon.
<br>
<br>
Regards,
<br>
<br>
Yogesh
<br>
<br>
On 27/02/2024 23:41, Job Snijders wrote:
<br>
<blockquote type="cite">Dear Afrinic,
<br>
<br>
On Tue, Feb 27, 2024 at 07:50:39PM +0100, Job Snijders wrote:
<br>
<blockquote type="cite">Perhaps adding "string_mask = nombstr"
to the "[req]" section of the
<br>
openssl.cnf file pointed to by the '-config' CLI option is
sufficient
<br>
to - going forward - only emit PrintableString instead of
UTF8String.
<br>
<br>
<a class="moz-txt-link-freetext" href="https://www.openssl.org/docs/man3.0/man1/openssl-req.html#string_mask">https://www.openssl.org/docs/man3.0/man1/openssl-req.html#string_mask</a>
<br>
</blockquote>
Perhaps I found the root cause! It turns out the above
documentation
<br>
contains errors. The 'default' value is not the default option,
utf8only
<br>
is the actual default value :-)
<br>
<br>
I submitted a fix to the OpenSSL project to clarify what the
software
<br>
really does: <a class="moz-txt-link-freetext" href="https://github.com/openssl/openssl/pull/23699">https://github.com/openssl/openssl/pull/23699</a>
<br>
<br>
In any case, using 'nombstr' should trigger the desired behavior
of
<br>
emitting PrintableString in accordance with the RPKI
specifications.
<br>
<br>
Kind regards,
<br>
<br>
Job
<br>
</blockquote>
<br>
_______________________________________________
<br>
DBWG mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:DBWG@afrinic.net">DBWG@afrinic.net</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.afrinic.net/mailman/listinfo/dbwg">https://lists.afrinic.net/mailman/listinfo/dbwg</a>
<br>
</blockquote>
</body>
</html>