2 minutes read (About 303 words)

The expiry of QuoVadis Global SSL ICA G3

Today’s been a fun one. DigiCert decided to add its QuoVadis Global SSL ICA G3 intermediate certificate to its Certificate Revocation Lists last night - a certificate that was in the chain of hundreds of our servers.

Doing this without any announcement or notice wasn’t the greatest way to start work on a Friday morning, but hopefully this information will prove useful to some.

The new certificate (issued 2020-09-22) has the serial number of: 2d2c802018b7907c4d2d79df7fb1bd872727cc93

The old certificate (issued 2012-11-06) has the serial number of: 7ed6e79cc9ad81c4c8193ef95d4428770e341317

Thankfully, you can just go through and replace the intermediate certificate in your chain, without needing to issue new certificates, with the updated certificate available here: http://trust.quovadisglobal.com/qvsslg3.crt

We also developed a quick and dirty script to scan your network and look for web servers still serving up the old, revoked intermediate certificate. Just replace line 11 with your IP ranges as required:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/usr/bin/python3
import ipaddress
import subprocess
import socket
import sys
import multiprocessing

bad_quo = "8W8hdONuKKpe9zKedhBFAvuxhDgKmnySglYc"

# Replace with your IP ranges!
ranges = ["355.355.355.0/24", "355.355.355.0/24"]

def check_host(ip):
    p = subprocess.Popen(["timeout", "3", "openssl", "s_client", "-showcerts",
                        "-connect", ip + ":443"],
                        stdin=subprocess.PIPE,
                        stdout=subprocess.PIPE,
                        stderr=subprocess.PIPE)

    result = str(p.communicate()).strip("\\\n")
    if bad_quo in result:
        f = open("QuoFound.txt", "a")
        ptr, alias, sock = socket.gethostbyaddr(ip)
        f.write("%s - %s\n" % (ptr, ip))
        f.close()
        print("%s - %s\n" % (ptr, ip))
        return True

    return False

ips = []
for range in ranges:
    for ip in ipaddress.IPv4Network(range):
        ips.append(str(ip))

pool = multiprocessing.Pool(100)
pool.map(check_host, ips)
pool.terminate()

This will output any hosts it finds on your network which are out of date into a file called QuoFound.txt.

Comments

Archives