On Mon, May 18, 2015 at 12:30 PM, Nicholas Schmidt < nicholas.schmidt@controlgroup.com> wrote:
I cant find a way to reach out to whoever manages ARO directly so I figure it would be best to publish this to the list.
Nicholas, It's normally a good idea to email any questions you have to nanog-support@nanog.org. They should always get you an answer or point you in the correct direction. We are a group of network operators who are failing at enforcing extremely
basic security in our own applications.
1.) Retrieving an ARO password sends a plain text email of your current password. Im sure this is minor as its just ARO and none of us would ever re-use a password in more critical systems.
This is a known problem and I assure you NANOG is working with their vendor to address it.
2.) The SSL cert for secretariat.nanog.org is invalid. It looks to be trying to use the wildcard for amsl.com
I'm curious what is going on, but I wonder if it doesn't have something to do with the openssl command you've entered below. When using firefox, chrome, or safari from my laptop and internet explorer from within a VM, I'm being offered the *.nanog.org wildcard cert, not an amsl.com cert. I checked a popular online ssl certificate checker and similarly received the proper certificate. Are you receiving a certificate error of some type in your browser? If so, let's take the conversation off of nanog to spare the list. -e
$ openssl s_client -showcerts -connect secretariat.nanog.org:443
CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/CN=*.amsl.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/CN=*.amsl.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/CN=*.amsl.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.amsl.com
i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU= http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2