lists.cpunks.org giving TLS ERR_CERT_AUTHORITY_INVALID

Greg Newby gbnewby at pglaf.org
Mon Jun 26 12:44:46 PDT 2017


On Mon, Jun 26, 2017 at 10:26:08AM -0300, Ben Mezger wrote:
> This *only* happens on Google Chrome and Chromium.
> 
> Any idea why this might happen?

I'll get this fixed over the next day or so, probably with a letsencrypt cert.  Details:

I'm running the current incarnation of https://lists.cpunks.org and this problem was presumably caused by some SSL changes I made yesterday.

The lists.cpunks.org Apache named virtual host lives on mail.pglaf.org, which uses a wildcard certificate for *.pglaf.org duly issued by Network Solutions.

So, Chrome is right to complain that the cert doesn't match the domain.  See, for example: https://www.ssllabs.com/ssltest/analyze.html?d=lists.cpunks.org

It's interesting that this new error didn't occur until I tightened the cipher suites.  In apache2.conf, the old set was:

    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

... which yielded some recent reports of Firefox complaining about allowing SSL3 and some other less secure ciphers.  

The current config line, as of Sunday afternoon, is:
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:-MEDIUM:-LOW:-SSLv2:-SSLv3:+EXP

  - Greg




More information about the cypherpunks mailing list