On 26 Jun 2017 20:45, "Greg Newby" <gbnewby@pglaf.org> wrote:
>
> On Mon, Jun 26, 2017 at 10:26:08AM -0300, Ben Mezger wrote:
> > This *only* happens on Google Chrome and Chromium.
> >
> > Any idea why this might happen?
>
> I'll get this fixed over the next day or so, probably with a letsencrypt cert. Details:
>
> I'm running the current incarnation of https://lists.cpunks.org and this problem was presumably caused by some SSL changes I made yesterday.
>
> The lists.cpunks.org Apache named virtual host lives on mail.pglaf.org, which uses a wildcard certificate for *.pglaf.org duly issued by Network Solutions.
>
> So, Chrome is right to complain that the cert doesn't match the domain. See, for example: https://www.ssllabs.com/ssltest/analyze.html?d=lists.cpunks.org
>
Thats not what its complaining about. It's saying the cert issuer isn't trusted (though without SNI you will get the wildcard which doesn't match).
If you expand the certification paths you'll see Startcom is marked as self-signed. Afaik it has been ever since they got caught issuing google.com certs and the like for "testing".
This has been on the horizon for a while, and similar is going to start happening for some certificates issued by Symantec CAs soon too.
> It's interesting that this new error didn't occur until I tightened the cipher suites. In apache2.conf, the old set was:
>
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
>
It's interesting timing, but I suspect may simply be coincidence.
> ... which yielded some recent reports of Firefox complaining about allowing SSL3 and some other less secure ciphers.
>
> The current config line, as of Sunday afternoon, is:
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:-MEDIUM:-LOW:-SSLv2:-SSLv3:+EXP
>
> - Greg
>