Brandon Vincent wrote:
On Mon, Nov 3, 2014 at 5:26 AM, Per Jessen <per@computer.org> wrote:
Can anyone explain this?
As others have pointed out, the certificate chain presented by the server at webmail.hostsuisse.com is incomplete. Your computer and browser typically only have root certificates installed, so since the server is not presenting the intermediate certificate, the chain of trust is incomplete and the validity of the server's certificate can not be verified. Some internet browsers see an incomplete certificate chain and will use AIA extensions to download the missing certificates. The design philosophy of Mozilla Firefox is not to do this. This is done by the Qualys SSL test when it shows "Extra download" next to the intermediate certificate. The RFC standard for X.509 specifically states that AIA extensions, "... may be included insubject or CA certificates, and it MUST be non-critical." Thus, you need to present a valid chain via the server if you want to ensure that all users can access your web server.
Thanks Brandon, much appreciated. What I don't understand is why it used to work fine, then apparently stopped.
It appears that you are running Apache 2.2.13. To add the intermediate certificate [1], you should use the SSLCertificateChainFile directive [2].
Yes, I did try this already, but it didn't seem to bring any improvement. I'll double check my config.
I highly suspect that the difference in behavior between the two versions of the browser is due to the caching nature of Firefox in regards to intermediate certificates. Mozilla Firefox will actually cache the intermediate certificates presented by a server and reuse them for different websites. Thus if you visit a site where the intermediate certificate is presented, your browser will use it for when the server at webmail.hostsuisse.com does not send the certificate.
Interesting idea - any possibility that such cached certificates might be stored as "Software Security Device" ?
To test this theory, I'd be curious to see if after visiting a site that does send the intermediate certificate, if you receive any errors when you try accessing your website. A website that does send this certificate is [3].
I'll try that right away.
This behavior might have changed in recent versions of Firefox as it is equally as bad as supporting AIA extensions for downloading certificates.
[1] http://swisssign.net/cgi-bin/authority/download/D3446FD9FE7AFCDEAC1C7AA2210D... [2] http://httpd.apache.org/docs/2.2/mod/mod_ssl.html [3] https://www.moster.info
Brandon Vincent
Thanks for taking the time to write all this up, especially in such a clear and concise manner. /Per -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org