lists.cpunks.org giving TLS ERR_CERT_AUTHORITY_INVALID
This *only* happens on Google Chrome and Chromium. Any idea why this might happen? - seds
On Mon, Jun 26, 2017 at 2:26 PM, Ben Mezger <su@seds.nl> wrote:
This *only* happens on Google Chrome and Chromium.
Any idea why this might happen?
The cert is issued by Startcom, which Chrome has started phasing out trust for - https://bugs.chromium.org/p/chromium/issues/detail?id=685826#c15 https://threatpost.com/google-to-distrust-wosign-startcom-certs-in-2017/1217... Apparently Firefox isn't going to be too far behind either
- seds
-- Ben Tasker https://www.bentasker.co.uk
Apparently Firefox isn't going to be too far behind either
It's about time anyway. Why aren't we using letsencrypt already? On 06/26/2017 11:29 AM, Ben Tasker wrote:
On Mon, Jun 26, 2017 at 2:26 PM, Ben Mezger <su@seds.nl <mailto:su@seds.nl>> wrote:
This *only* happens on Google Chrome and Chromium.
Any idea why this might happen?
The cert is issued by Startcom, which Chrome has started phasing out trust for - https://bugs.chromium.org/p/chromium/issues/detail?id=685826#c15
https://threatpost.com/google-to-distrust-wosign-startcom-certs-in-2017/1217...
Apparently Firefox isn't going to be too far behind either
- seds
-- Ben Tasker https://www.bentasker.co.uk
-- - seds ~> https://seds.nl
On Mon, Jun 26, 2017 at 10:26:08AM -0300, Ben Mezger wrote:
This *only* happens on Google Chrome and Chromium.
Any idea why this might happen?
I'll get this fixed over the next day or so, probably with a letsencrypt cert. Details: I'm running the current incarnation of https://lists.cpunks.org and this problem was presumably caused by some SSL changes I made yesterday. The lists.cpunks.org Apache named virtual host lives on mail.pglaf.org, which uses a wildcard certificate for *.pglaf.org duly issued by Network Solutions. So, Chrome is right to complain that the cert doesn't match the domain. See, for example: https://www.ssllabs.com/ssltest/analyze.html?d=lists.cpunks.org It's interesting that this new error didn't occur until I tightened the cipher suites. In apache2.conf, the old set was: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP ... which yielded some recent reports of Firefox complaining about allowing SSL3 and some other less secure ciphers. The current config line, as of Sunday afternoon, is: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:-MEDIUM:-LOW:-SSLv2:-SSLv3:+EXP - Greg
On 26 Jun 2017 20:45, "Greg Newby" <gbnewby@pglaf.org> wrote:
On Mon, Jun 26, 2017 at 10:26:08AM -0300, Ben Mezger wrote:
This *only* happens on Google Chrome and Chromium.
Any idea why this might happen?
I'll get this fixed over the next day or so, probably with a letsencrypt
cert. Details:
I'm running the current incarnation of https://lists.cpunks.org and this
problem was presumably caused by some SSL changes I made yesterday.
The lists.cpunks.org Apache named virtual host lives on mail.pglaf.org,
which uses a wildcard certificate for *.pglaf.org duly issued by Network Solutions.
So, Chrome is right to complain that the cert doesn't match the domain.
See, for example: https://www.ssllabs.com/ssltest/analyze.html?d=lists.cpunks.org
Thats not what its complaining about. It's saying the cert issuer isn't trusted (though without SNI you will get the wildcard which doesn't match). If you expand the certification paths you'll see Startcom is marked as self-signed. Afaik it has been ever since they got caught issuing google.com certs and the like for "testing". This has been on the horizon for a while, and similar is going to start happening for some certificates issued by Symantec CAs soon too.
It's interesting that this new error didn't occur until I tightened the cipher suites. In apache2.conf, the old set was:
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
It's interesting timing, but I suspect may simply be coincidence.
... which yielded some recent reports of Firefox complaining about allowing SSL3 and some other less secure ciphers.
The current config line, as of Sunday afternoon, is: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:-MEDIUM:-LOW:-SSLv2:-SSLv3:+EXP
- Greg
participants (3)
-
Ben Mezger -
Ben Tasker -
Greg Newby