lists.cpunks.org giving TLS ERR_CERT_AUTHORITY_INVALID

Ben Tasker ben at bentasker.co.uk
Mon Jun 26 13:01:34 PDT 2017


On 26 Jun 2017 20:45, "Greg Newby" <gbnewby at pglaf.org> wrote:
>
> On Mon, Jun 26, 2017 at 10:26:08AM -0300, Ben Mezger wrote:
> > This *only* happens on Google Chrome and Chromium.
> >
> > Any idea why this might happen?
>
> I'll get this fixed over the next day or so, probably with a letsencrypt
cert.  Details:
>
> I'm running the current incarnation of https://lists.cpunks.org and this
problem was presumably caused by some SSL changes I made yesterday.
>
> The lists.cpunks.org Apache named virtual host lives on mail.pglaf.org,
which uses a wildcard certificate for *.pglaf.org duly issued by Network
Solutions.
>
> So, Chrome is right to complain that the cert doesn't match the domain.
See, for example:
https://www.ssllabs.com/ssltest/analyze.html?d=lists.cpunks.org
>

Thats not what its complaining about. It's saying the cert issuer isn't
trusted (though without SNI you will get the wildcard which doesn't match).

If you expand the certification paths you'll see Startcom is marked as
self-signed. Afaik it has been ever since they got caught issuing google.com
certs and the like for "testing".

This has been on the horizon for a while, and similar is going to start
happening for some certificates issued by Symantec CAs soon too.

> It's interesting that this new error didn't occur until I tightened the
cipher suites.  In apache2.conf, the old set was:
>
>     SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
>

It's interesting timing, but I suspect may simply be coincidence.

> ... which yielded some recent reports of Firefox complaining about
allowing SSL3 and some other less secure ciphers.
>
> The current config line, as of Sunday afternoon, is:
>     SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:-MEDIUM:-LOW:-SSLv2:-SSLv3:+EXP
>
>   - Greg
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2482 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20170626/c9c5139b/attachment.txt>


More information about the cypherpunks mailing list