Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Did we kill crt.sh?

    FATAL:  terminating connection due to conflict with recovery
    DETAIL:  User query might have needed to see row versions that must be removed.
    CONTEXT:  SQL statement "SELECT c.ID, x509_print(c.CERTIFICATE, NULL, 196608), ca.ID, cac.CA_ID,
         digest(c.CERTIFICATE, 'sha1'::text),
         digest(c.CERTIFICATE, 'sha256'::text),
         x509_serialNumber(c.CERTIFICATE),
         digest(x509_publicKey(c.CERTIFICATE), 'sha256'::text),
         x509_rsamodulus(c.CERTIFICATE),
         x509_hasROCAFingerprint(c.CERTIFICATE),
         x509_hasClosePrimes(c.CERTIFICATE),
         c.CERTIFICATE
                                                                                                                                                                                                                                                  FROM certificate c
         LEFT OUTER JOIN ca ON (c.ISSUER_CA_ID = ca.ID)
         LEFT OUTER JOIN ca_certificate cac
             ON (c.ID = cac.CERTIFICATE_ID)
        WHERE digest(c.CERTIFICATE, 'sha256') = t_bytea"
    PL/pgSQL function web_apis(text,text[],text[]) line 1757 at SQL statement
    ERROR:  server conn crashed?
    server closed the connection unexpectedly
     This probably means the server terminated abnormally
     before or while processing the request.
and now it's just a 502 error!


Unfortunately, crt.sh is chronically overloaded.


I've never seen it happen before, but, you would know better!


Are there other ways to get these logs?


You can query logs directly using the API described in RFC 6962: https://datatracker.ietf.org/doc/html/rfc6962#section-4

You'll need a list of logs to query. Chrome publishes their log list at: https://www.gstatic.com/ct/log_list/v3/log_list.json

My company offers a higher-level API for querying by domain name: https://sslmate.com/ct_search_api/


I haven't found any, yet. I would love to have a list of domains affected by this to cross-check that none of my issued certificates were affected by this.


The list of all affected SHA256 fingerprints is in https://bug1838667.bmoattachments.org/attachment.cgi?id=9340...

You can get the SHA256 fingerprint for your certificate by running

  openssl x509 -in mycert.pem -sha256 -fingerprint -noout
If you don't like the format,

  openssl x509 -in mycert.pem -sha256 -fingerprint -noout | cut -d= -f2 | tr -d : | tr A-F a-f
will match the format in the list of affected certificates more closely.

If you need to do this against a web server and don't already have a copy of the certificate locally, something like

  echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null <&- | openssl x509 -sha256 -fingerprint -noout | cut -d= -f2 | tr -d : | tr A-F a-f
(This example outputs the actual SHA256 fingerprint for the real domain example.com, which is not affected.)


Here's a list of affected DNS names: https://gist.github.com/AGWA/5b02c2bb07fc847733fa2a5c1931c4f...


Thank you and much appreciated, fortunately had no affected certs. I guess I need to spend some time implementing ARI :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: