Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 583208 CNNIC CT server inclusion request.
Starred by 5 users Reported by anyin...@gmail.com, Feb 2 2016 Back to list
Status: Fixed
Owner:
Closed: Jul 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment
UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; rv:11.0) like Gecko

Steps to reproduce the problem:
Certificate Transparency - CNNIC CT Log Server Inclusion
Log Server URL: https://ctserver.cnnic.cn
MMD: 24 hours
HTTPS supported: yes 
Operator: CNNIC
Contact:
- email: ctlog-admin@cnnic.cn 
- Phone: +86 (010) 58813200
- contact persons: CNNIC CT Operation team

Log Server Public Key:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv7UIYZopMgTTJWPp2IXh
huAf1l6a9zM7gBvntj5fLaFm9pVKhKYhVnno94XuXeN8EsDgiSIJIj66FpUGvai5
samyetZhLocRuXhAiXXbDNyQ4KR51tVebtEq2zT0mT9liTtGwiksFQccyUsaVPhs
Hq9gJ2IKZdWauVA2Fm5x9h8B9xKn/L/2IaMpkIYtd967TNTP/dLPgixN1PLCLayp
vurDGSVDsuWabA3FHKWL9z8wr7kBkbdpEhLlg2H+NAC+9nGKx+tQkuhZ/hWR65aX
+CNUPy2OB9/u2rNPyDydb988LENXoUcMkQT0dU3aiYGkFAY0uZjD2vH97TM20xYt
NQIDAQAB
-----END PUBLIC KEY-----

A description of the Log:
This CT Log server is operated by CNNIC, now accepted and log certificate issued by CNNIC Root and CNNIC EV Root attached.

Accepted Roots: Attached file:

What is the expected behavior?

What went wrong?
CNNIC CT Log Server is now available for inclusion in Chrome.

Did this work before? N/A 

Chrome version: <Copy from: 'about:version'>  Channel: n/a
OS Version: 10.0
Flash Version: Shockwave Flash 20.0 r0
 
cnnic_root_and_EV Root.pem
2.6 KB Download
Labels: Cr-Internals-Network-SSL Cr-Security-UX
Labels: -Type-Bug-Security Type-Bug
Owner: agl@chromium.org
Adam, can you take a look?
Comment 3 by agl@chromium.org, Feb 2 2016
Owner: rsleevi@chromium.org
This application seems to be mostly inline with https://www.chromium.org/Home/chromium-security/certificate-transparency/log-policy. Throwing to Ryan, who hopefully knows the process here.
Cc: rsleevi@chromium.org eranm@chromium.org
Labels: -Restrict-View-SecurityTeam -Via-Wizard -OS-Linux -Cr-Internals-Network-SSL -Cr-Security-UX Cr-Internals-Network-CertTrans OS-All
Owner: ----
Status: Untriaged
Please confirm that our Compliance Monitoring Root is added to
your Log:

-----BEGIN CERTIFICATE-----
MIIFzTCCA7WgAwIBAgIJAJ7TzLHRLKJyMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNV
BAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xFzAVBgNVBAoMDkdvb2dsZSBVSyBMdGQu
MSEwHwYDVQQLDBhDZXJ0aWZpY2F0ZSBUcmFuc3BhcmVuY3kxITAfBgNVBAMMGE1l
cmdlIERlbGF5IE1vbml0b3IgUm9vdDAeFw0xNDA3MTcxMjA1NDNaFw00MTEyMDIx
MjA1NDNaMH0xCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xFzAVBgNVBAoM
Dkdvb2dsZSBVSyBMdGQuMSEwHwYDVQQLDBhDZXJ0aWZpY2F0ZSBUcmFuc3BhcmVu
Y3kxITAfBgNVBAMMGE1lcmdlIERlbGF5IE1vbml0b3IgUm9vdDCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAKoWHPIgXtgaxWVIPNpCaj2y5Yj9t1ixe5Pq
jWhJXVNKAbpPbNHA/AoSivecBm3FTD9DfgW6J17mHb+cvbKSgYNzgTk5e2GJrnOP
7yubYJpt2OCw0OILJD25NsApzcIiCvLA4aXkqkGgBq9FiVfisReNJxVu8MtxfhbV
QCXZf0PpkW+yQPuF99V5Ri+grHbHYlaEN1C/HM3+t2yMR4hkd2RNXsMjViit9qCc
hIi/pQNt5xeQgVGmtYXyc92ftTMrmvduj7+pHq9DEYFt3ifFxE8v0GzCIE1xR/d7
prFqKl/KRwAjYUcpU4vuazywcmRxODKuwWFVDrUBkGgCIVIjrMJWStH5i7WTSSTr
VtOD/HWYvkXInZlSgcDvsNIG0pptJaEKSP4jUzI3nFymnoNZn6pnfdIII/XISpYS
Veyl1IcdVMod8HdKoRew9CzW6f2n6KSKU5I8X5QEM1NUTmRLWmVi5c75/CvS/PzO
MyMzXPf+fE2Dwbf4OcR5AZLTupqp8yCTqo7ny+cIBZ1TjcZjzKG4JTMaqDZ1Sg0T
3mO/ZbbiBE3N8EHxoMWpw8OP50z1dtRRwj6qUZ2zLvngOb2EihlMO15BpVZC3Cg9
29c9Hdl65pUd4YrYnQBQB/rn6IvHo8zot8zElgOg22fHbViijUt3qnRggB40N30M
XkYGwuJbAgMBAAGjUDBOMB0GA1UdDgQWBBTzX3t1SeN4QTlqILZ8a0xcyT1YQTAf
BgNVHSMEGDAWgBTzX3t1SeN4QTlqILZ8a0xcyT1YQTAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBBQUAA4ICAQB3HP6jRXmpdSDYwkI9aOzQeJH4x/HDi/PNMOqdNje/
xdNzUy7HZWVYvvSVBkZ1DG/ghcUtn/wJ5m6/orBn3ncnyzgdKyXbWLnCGX/V61Pg
IPQpuGo7HzegenYaZqWz7NeXxGaVo3/y1HxUEmvmvSiioQM1cifGtz9/aJsJtIkn
5umlImenKKEV1Ly7R3Uz3Cjz/Ffac1o+xU+8NpkLF/67fkazJCCMH6dCWgy6SL3A
OB6oKFIVJhw8SD8vptHaDbpJSRBxifMtcop/85XUNDCvO4zkvlB1vPZ9ZmYZQdyL
43NA+PkoKy0qrdaQZZMq1Jdp+Lx/yeX255/zkkILp43jFyd44rZ+TfGEQN1WHlp4
RMjvoGwOX1uGlfoGkRSgBRj7TBn514VYMbXu687RS4WY2v+kny3PUFv/ZBfYSyjo
NZnU4Dce9kstgv+gaKMQRPcyL+4vZU7DV8nBIfNFilCXKMN/VnNBKtDV52qmtOsV
ghgai+QE09w15x7dg+44gIfWFHxNhvHKys+s4BBN8fSxAMLOsb5NGFHE8x58RAkm
IYWHjyPM6zB5AUPw1b2A0sDtQmCqoxJZfZUKrzyLz8gS2aVujRYN13KklHQ3EKfk
eKBG2KXVBe5rjMN/7Anf1MtXxsTY6O8qIuHZ5QlXhSYzE41yIlPlG6d7AGnTiBIg
eg==
-----END CERTIFICATE-----
Comment 5 by eranm@chromium.org, Feb 8 2016
Owner: eranm@chromium.org
Status: Assigned
Comment 6 by pphaneuf@google.com, Feb 11 2016
I just verified, and the Compliance Monitoring root certificate is not yet added to your log (looking at the output of https://ctserver.cnnic.cn/ct/v1/get-roots)?

We cannot proceed with the compliance monitoring until it is added.
https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fctserver.cnnic.cn

The certificate chain delivered by this CT Log server is incomplete. 
Comment 8 by anyin...@gmail.com, Feb 13 2016
Sorry for lately replay as we are in Chinese Spring Festival Vacation. We will add your Compliance Monitoring root certificate in next Monday. 
Comment 9 by pphaneuf@google.com, Feb 13 2016
No problem, simply update this issue once it is done, and I will start work on the compliance monitoring.

The incomplete certificate chain reported in the comment #7 above might also be a problem for the compliance monitoring, but I'm not certain? Might be best to fix it, in any case.
Comment 10 by anyin...@gmail.com, Feb 18 2016
CNNIC complete adding  Google compliance Monitoring Root in to our CT log. Please your team have a check.
Your log has been added to our compliance monitoring system, as well as to the list of logs on our website. Apologies for the delay.
There seems to be a problem with the clock on your server? It looks like it's ahead by about 5 minutes, which causes errors (STHs and SCTs are timestamped in the future).

Others seem to see the same problem, for example: https://ct.x509.io/
The server's clock problem was fixed. 
We checked access log of our CT server and find some TCP connection failure as attached picture. Please let us know if any coordinating work are needed.

failure.jpg
162 KB View Download
Comment 15 by eranm@chromium.org, May 27 2016
This log has passed the initial 90 day compliance period and we will start
the process to add it to Chrome.
Project Member Comment 16 by bugdroid1@chromium.org, May 31 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3a79a2a6429d0adf9d03cd37e3da2850869d4fa6

commit 3a79a2a6429d0adf9d03cd37e3da2850869d4fa6
Author: eranm <eranm@chromium.org>
Date: Tue May 31 12:37:53 2016

Certificate Transparency: Adding CNNIC's CT log server.

Said log has been pending inclusion since February 26th, 2016, and
has complied with the requirements for inclusion.

BUG= 583208 

Review-Url: https://codereview.chromium.org/2011313002
Cr-Commit-Position: refs/heads/master@{#396817}

[modify] https://crrev.com/3a79a2a6429d0adf9d03cd37e3da2850869d4fa6/net/cert/ct_known_logs_static-inc.h

Comment 17 by eranm@chromium.org, Jul 28 2016
Status: Fixed
Labels: M-53
Cc: ctlog-ad...@cnnic.cn
CNNIC, the clock on your CT server appears to be running fast again (it's a few seconds ahead). This is resulting in you issuing SCTs with timestamps that are slightly in the future, which fail to verify immediately. We suggest using something like NTP to make sure your server's clock stays synchronized.
Cc: robpercival@chromium.org
Thanks for the suggestion. We will fix it this week.
CNNIC, as of 2nd February your server's clock began drifting into the future at a rate of about 4 seconds per day. You are currently issuing SCTs with timestamps ~5 seconds in the future.  Any CT clients compliant with RFC6962 will reject SCTs with timestamps in the future (https://tools.ietf.org/html/rfc6962#section-5.2). For example, our compliance monitoring system will find your handling of add-chain/add-pre-chain requests to be non-compliant.

Could you please fix your clock again?
Sign in to add a comment