On Mon, May 18, 2015 at 12:30 PM, Nicholas Schmidt < nicholas.schm...@controlgroup.com> wrote:
> I cant find a way to reach out to whoever manages ARO directly so I figure > it would be best to publish this to the list. > Nicholas, It's normally a good idea to email any questions you have to nanog-supp...@nanog.org. They should always get you an answer or point you in the correct direction. We are a group of network operators who are failing at enforcing extremely > basic security in our own applications. > > 1.) Retrieving an ARO password sends a plain text email of your current > password. Im sure this is minor as its just ARO and none of us would ever > re-use a password in more critical systems. > This is a known problem and I assure you NANOG is working with their vendor to address it. > > 2.) The SSL cert for secretariat.nanog.org is invalid. It looks to be > trying to use the wildcard for amsl.com I'm curious what is going on, but I wonder if it doesn't have something to do with the openssl command you've entered below. When using firefox, chrome, or safari from my laptop and internet explorer from within a VM, I'm being offered the *.nanog.org wildcard cert, not an amsl.com cert. I checked a popular online ssl certificate checker and similarly received the proper certificate. Are you receiving a certificate error of some type in your browser? If so, let's take the conversation off of nanog to spare the list. -e > > $ openssl s_client -showcerts -connect secretariat.nanog.org:443 > > CONNECTED(00000003) > > depth=0 /OU=Domain Control Validated/CN=*.amsl.com > > verify error:num=20:unable to get local issuer certificate > > verify return:1 > > depth=0 /OU=Domain Control Validated/CN=*.amsl.com > > verify error:num=27:certificate not trusted > > verify return:1 > > depth=0 /OU=Domain Control Validated/CN=*.amsl.com > > verify error:num=21:unable to verify the first certificate > > verify return:1 > > --- > > Certificate chain > > 0 s:/OU=Domain Control Validated/CN=*.amsl.com > > i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU= > http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate > Authority - G2 >
