Hello, welcome to the Thursday, July 7, 22 edition of the Sandstone Storm Center's Stormcast. My name is Johannes Ulrich, and I am recording from Frankfurt, Germany.

I wrote up a real quick diary today about subject alternate names. These are additional names that you can add to a TLS certificate in order to validate

multiple host names.

And the big question you tried to answer is how many subject alternate names are you able

to add to a certificate.

Turns out the specification actually is not very specific about this.

The RFCs kind of suggest that this is a implementation-dependent parameter,

and with that of course no compatibility and such comes to mind as a possible problem. Well, it turns out that the certificate

authorities typically allow at least 100. For example, let's encrypt. And now there are a couple

Komodo, for example, allows 1,000. And some sources say that Komodo actually allows 2,000, but overall you probably

want to stay at 100 or less to ensure that your certificate is compatible.

Most organizations will never get anywhere close to 100, but of course if you have things like

load balancers, proxies and such,

that are protecting a large number of websites, then 100 may easily be reached.

And FortyNet did release its monthly update for July, and with that we got patches for 11 vulnerabilities and four of them have a rating of high.

Among the high vulnerabilities one that sort of sticks out immediately is a MySQL issue that

there is no root user password configured which does allow an authenticated user to then get to the command

prompt and essentially just take over my SQL on the device.

The second interesting vulnerability is a code execution vulnerability via a stack-based buffer

overflow.

Not a reason. This is only rated as high, not critical is that it has a number of

dependencies, like for example, the attacker already has to have a privileged position and

...