[opensuse] Has anything changed in recent Firefox wrt ssl certificates validation?
I am trying to access https://webmail.hostsuisse.com/ and with the lastest Firefox, I get: webmail.hostsuisse.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer) However, the issuer is SwissSign, the CA is: SwissSign Server Silver CA 2008 - G2 This is installed per default (according to Edit->Preferences->Advanced->Certificates). Can anyone explain this? -- Per Jessen, Zürich (15.6°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Nov 03, 2014 at 01:26:04PM +0100, Per Jessen wrote:
I am trying to access
https://webmail.hostsuisse.com/
and with the lastest Firefox, I get:
webmail.hostsuisse.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)
However, the issuer is SwissSign, the CA is:
SwissSign Server Silver CA 2008 - G2
This is installed per default (according to Edit->Preferences->Advanced->Certificates).
Can anyone explain this?
The root CA is not included in the certificate store. I see various SwissSign CAs, but "SwissSign Server Silver CA 2008 - G2" is not present. (There is "SwissSign Silver CA 2008 - G2" (without Server), but it is not the same.) Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marcus Meissner wrote:
On Mon, Nov 03, 2014 at 01:26:04PM +0100, Per Jessen wrote:
I am trying to access
https://webmail.hostsuisse.com/
and with the lastest Firefox, I get:
webmail.hostsuisse.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)
However, the issuer is SwissSign, the CA is:
SwissSign Server Silver CA 2008 - G2
This is installed per default (according to Edit->Preferences->Advanced->Certificates).
Can anyone explain this?
The root CA is not included in the certificate store.
I see various SwissSign CAs, but "SwissSign Server Silver CA 2008 - G2" is not present.
(There is "SwissSign Silver CA 2008 - G2" (without Server), but it is not the same.)
Thanks, you're right, I missed that bit. Okay, next question, does anyone know why that CA was removed or not included? It was included back in June or July when that certificate was issued. I'm seeing this issue on Firefox 33.0 on openSUSE 13.2 / Factory. I see the CA in e.g. Firefox 33.0.2 (apparently the latest one) on my sons Windows box. -- Per Jessen, Zürich (15.9°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
Marcus Meissner wrote:
On Mon, Nov 03, 2014 at 01:26:04PM +0100, Per Jessen wrote:
I am trying to access
https://webmail.hostsuisse.com/
and with the lastest Firefox, I get:
webmail.hostsuisse.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)
However, the issuer is SwissSign, the CA is:
SwissSign Server Silver CA 2008 - G2
This is installed per default (according to Edit->Preferences->Advanced->Certificates).
Can anyone explain this?
The root CA is not included in the certificate store.
I see various SwissSign CAs, but "SwissSign Server Silver CA 2008 - G2" is not present.
(There is "SwissSign Silver CA 2008 - G2" (without Server), but it is not the same.)
Thanks, you're right, I missed that bit. Okay, next question, does anyone know why that CA was removed or not included? It was included back in June or July when that certificate was issued. I'm seeing this issue on Firefox 33.0 on openSUSE 13.2 / Factory. I see the CA in e.g. Firefox 33.0.2 (apparently the latest one) on my sons Windows box.
Well, I don't see that CA listed here either: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs... On my son's Winbox, it is listed as "software security module" (my translation, the browser has it in German). I am pretty certain I did not install that CA manually, so how can it be in one Firefox but not in another? (even if they're very slightly different). -- Per Jessen, Zürich (16.0°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
Per Jessen wrote:
Marcus Meissner wrote:
On Mon, Nov 03, 2014 at 01:26:04PM +0100, Per Jessen wrote:
I am trying to access
https://webmail.hostsuisse.com/
and with the lastest Firefox, I get:
webmail.hostsuisse.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)
However, the issuer is SwissSign, the CA is:
SwissSign Server Silver CA 2008 - G2
This is installed per default (according to Edit->Preferences->Advanced->Certificates).
Can anyone explain this?
The root CA is not included in the certificate store.
I see various SwissSign CAs, but "SwissSign Server Silver CA 2008 - G2" is not present.
(There is "SwissSign Silver CA 2008 - G2" (without Server), but it is not the same.)
Thanks, you're right, I missed that bit. Okay, next question, does anyone know why that CA was removed or not included? It was included back in June or July when that certificate was issued. I'm seeing this issue on Firefox 33.0 on openSUSE 13.2 / Factory. I see the CA in e.g. Firefox 33.0.2 (apparently the latest one) on my sons Windows box.
Well, I don't see that CA listed here either:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs...
On my son's Winbox, it is listed as "software security module" (my translation, the browser has it in German). I am pretty certain I did not install that CA manually, so how can it be in one Firefox but not in another? (even if they're very slightly different).
On my laptop, I'm running openSUSE 12.3 with Firefox 29.0 - the Swisssign Server is installed there too (by default). -- Per Jessen, Zürich (14.4°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 03/11/14 a las 09:26, Per Jessen escribió:
I am trying to access
https://webmail.hostsuisse.com/
and with the lastest Firefox, I get:
webmail.hostsuisse.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)
However, the issuer is SwissSign, the CA is:
SwissSign Server Silver CA 2008 - G2
This is installed per default (according to Edit->Preferences->Advanced->Certificates).
Can anyone explain this?
Your certificate chain is incomplete.. and the server configuration is also broken beyond repair "ranked F" https://www.ssllabs.com/ssltest/analyze.html?d=webmail.hostsuisse.com&hideResults=on -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Cristian Rodríguez wrote:
El 03/11/14 a las 09:26, Per Jessen escribió:
I am trying to access
https://webmail.hostsuisse.com/
and with the lastest Firefox, I get:
webmail.hostsuisse.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)
However, the issuer is SwissSign, the CA is:
SwissSign Server Silver CA 2008 - G2
This is installed per default (according to Edit->Preferences->Advanced->Certificates).
Can anyone explain this?
Your certificate chain is incomplete.
Do you know if anything changed in this respect? This was working when that certificate was installed.
. and the server configuration is also broken beyond repair "ranked F"
Perhaps not quite beyond repair, but yes, it's overdue to be moved off that server. We want to upgrade to 2.4 and get support for PFS, EC ciphers etc. -- Per Jessen, Zürich (14.7°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 03.11.2014 um 16:08 schrieb Per Jessen:
Cristian Rodríguez wrote:
Do you know if anything changed in this respect? This was working when that certificate was installed.
. and the server configuration is also broken beyond repair "ranked F"
Perhaps not quite beyond repair, but yes, it's overdue to be moved off that server. We want to upgrade to 2.4 and get support for PFS, EC ciphers etc.
I don't have a clear explanation but NSS changes root CA certificates over time obviously. So different Firefox versions support different sets of root CAs. If the Root-CA was removed and why I don't know. Please also note that in openSUSE we ship always the latest NSS matching the latest Firefox update and sometimes even newer. There was a bigger Root CA cleanup with NSS 3.16.3 while Firefox 33.x contains 3.17.2. Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Wolfgang Rosenauer wrote:
Am 03.11.2014 um 16:08 schrieb Per Jessen:
Cristian Rodríguez wrote:
Do you know if anything changed in this respect? This was working when that certificate was installed.
. and the server configuration is also broken beyond repair "ranked F"
Perhaps not quite beyond repair, but yes, it's overdue to be moved off that server. We want to upgrade to 2.4 and get support for PFS, EC ciphers etc.
I don't have a clear explanation but NSS changes root CA certificates over time obviously. So different Firefox versions support different sets of root CAs. If the Root-CA was removed and why I don't know. Please also note that in openSUSE we ship always the latest NSS matching the latest Firefox update and sometimes even newer. There was a bigger Root CA cleanup with NSS 3.16.3 while Firefox 33.x contains 3.17.2.
I guess I'll have to ask SwissSign. Thanks everyone. -- Per Jessen, Zürich (12.6°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 03/11/14 a las 12:08, Per Jessen escribió:
Do you know if anything changed in this respect? This was working when that certificate was installed.
It does not matter what changed in the client side, your certificate setup is still incomplete.
Perhaps not quite beyond repair, but yes, it's overdue to be moved off that server. We want to upgrade to 2.4 and get support for PFS, EC ciphers etc.
Yeah but you also need an OS with a recent openssl version. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Cristian Rodríguez wrote:
El 03/11/14 a las 12:08, Per Jessen escribió:
Do you know if anything changed in this respect? This was working when that certificate was installed.
It does not matter what changed in the client side, your certificate setup is still incomplete.
Huh? In which way is it incomplete? I mean, it was working fine when it was set up, right up until quite recently.
Perhaps not quite beyond repair, but yes, it's overdue to be moved off that server. We want to upgrade to 2.4 and get support for PFS, EC ciphers etc.
Yeah but you also need an OS with a recent openssl version.
Yes, that too. -- Per Jessen, Zürich (12.1°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 04/11/14 a las 04:03, Per Jessen escribió:
Huh? In which way is it incomplete? I mean, it was working fine when it was set up, right up until quite recently.
"SwissSign Server Silver CA 2008 - G2" is not part of the certificate chain you are sending to clients. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/03/2014 09:08 AM, Per Jessen wrote:
Your certificate chain is incomplete. Do you know if anything changed in this respect? This was working when that certificate was installed.
. and the server configuration is also broken beyond repair "ranked F" Perhaps not quite beyond repair, but yes, it's overdue to be moved off that server. We want to upgrade to 2.4 and get support for PFS, EC ciphers etc.
Per, I tried the test from 13.1 FF and the certificate was there and worked. The primary issues prompting the "F" were SSL3 and renegotiation (POODLE, MTM attack, respectively), but the initial connection worked. (not that this is encouraging, but are you seeing something different?) The certificate information returned was: Additional Certificates (if supplied) Certificates provided 2 (3004 bytes) Chain issues Incomplete, Contains anchor #2 Subject SwissSign Silver CA - G2 In trust store SHA1: 9baae59f56ee21cb435abe2593dfa7f040d11dcb Valid until Sat Oct 25 08:32:46 UTC 2036 (expires in 21 years and 11 months) Key RSA 4096 bits Issuer SwissSign Silver CA - G2 Self-signed Signature algorithm SHA1withRSA Weak, but no impact on root certificates Certification Paths Path #1: Trusted 1 Sent by server webmail.hostsuisse.com SHA1: 552ead3a0445ad8136b0575efb2240856cf11d75 RSA 2048 bits / SHA1withRSA WEAK SIGNATURE 2 Extra download SwissSign Server Silver CA 2008 - G2 SHA1: 95eef9f8bb003d337c47b0f9a947ffafe02725c3 RSA 2048 bits / SHA1withRSA WEAK SIGNATURE 3 Sent by server In trust store SwissSign Silver CA - G2 SHA1: 9baae59f56ee21cb435abe2593dfa7f040d11dcb RSA 4096 bits / SHA1withRSA Weak or insecure signature, but no impact on root certificates -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
David C. Rankin wrote:
On 11/03/2014 09:08 AM, Per Jessen wrote:
Your certificate chain is incomplete. Do you know if anything changed in this respect? This was working when that certificate was installed.
. and the server configuration is also broken beyond repair "ranked F" Perhaps not quite beyond repair, but yes, it's overdue to be moved off that server. We want to upgrade to 2.4 and get support for PFS, EC ciphers etc.
Per,
I tried the test from 13.1 FF and the certificate was there and worked.
Hi David thanks for testing - with the help of Brandon, Olav, Cristian et al, I have determined what is happening. In essence, I needed to add 'SSLCertificateChainFile' to the apache config pointing to the intermediate CA "SwissSign Server Silver CA 2008 G2". This was not clear at the time we set up this server as all the browsers used to test had already had been in touch with other sites using certificates issued by this CA. As Brandon suggested, for user-friendliness, Firefox caches/keeps any intermediate CAs offered by a server. This is nice for the user, but obstructs testing e.g. the need for adding SSLCertificateChainFile. /Per -- Per Jessen, Zürich (7.2°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Looks like it was a change in FF33, I just ran into it as well on one of our internal Oracle boxes: http://superuser.com/questions/826232/how-to-bypass-the-secure-connection-fa... The website still works fine with the latest version of Chrome though. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/03/2014 01:26 PM, Per Jessen wrote:
I am trying to access
https://webmail.hostsuisse.com/
and with the lastest Firefox, I get:
webmail.hostsuisse.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)
However, the issuer is SwissSign, the CA is:
SwissSign Server Silver CA 2008 - G2
This is installed per default (according to Edit->Preferences->Advanced->Certificates).
Can anyone explain this?
Look here: openssl s_client -connect webmail.hostsuisse.com:443 -showcerts ... Certificate chain 0 s:/OU=Domain Validated Only/CN=webmail.hostsuisse.com i:/C=CH/O=SwissSign AG/CN=SwissSign Server Silver CA 2008 - G2 This is your server certificate. It is issued by "SwissSign Server Silver CA 2008 - G2" .... 1 s:/C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2 i:/C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2 This is the root-CA certificate. The webserver does not deliver the intermediate certificate. Its name should be: "SwissSign Server Silver CA 2008 - G2" and i guess it should be issued by: "SwissSign Silver CA - G2" Get it here, and add it to the chain of your apache - don't add it to your browser: https://swisssign.net/cgi-bin/authority/download
On Mon, Nov 3, 2014 at 5:26 AM, Per Jessen <per@computer.org> wrote:
Can anyone explain this?
As others have pointed out, the certificate chain presented by the server at webmail.hostsuisse.com is incomplete. Your computer and browser typically only have root certificates installed, so since the server is not presenting the intermediate certificate, the chain of trust is incomplete and the validity of the server's certificate can not be verified. Some internet browsers see an incomplete certificate chain and will use AIA extensions to download the missing certificates. The design philosophy of Mozilla Firefox is not to do this. This is done by the Qualys SSL test when it shows "Extra download" next to the intermediate certificate. The RFC standard for X.509 specifically states that AIA extensions, "... may be included insubject or CA certificates, and it MUST be non-critical." Thus, you need to present a valid chain via the server if you want to ensure that all users can access your web server. It appears that you are running Apache 2.2.13. To add the intermediate certificate [1], you should use the SSLCertificateChainFile directive [2]. I highly suspect that the difference in behavior between the two versions of the browser is due to the caching nature of Firefox in regards to intermediate certificates. Mozilla Firefox will actually cache the intermediate certificates presented by a server and reuse them for different websites. Thus if you visit a site where the intermediate certificate is presented, your browser will use it for when the server at webmail.hostsuisse.com does not send the certificate. To test this theory, I'd be curious to see if after visiting a site that does send the intermediate certificate, if you receive any errors when you try accessing your website. A website that does send this certificate is [3]. This behavior might have changed in recent versions of Firefox as it is equally as bad as supporting AIA extensions for downloading certificates. [1] http://swisssign.net/cgi-bin/authority/download/D3446FD9FE7AFCDEAC1C7AA2210D... [2] http://httpd.apache.org/docs/2.2/mod/mod_ssl.html [3] https://www.moster.info Brandon Vincent -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Brandon Vincent wrote:
On Mon, Nov 3, 2014 at 5:26 AM, Per Jessen <per@computer.org> wrote:
Can anyone explain this?
As others have pointed out, the certificate chain presented by the server at webmail.hostsuisse.com is incomplete. Your computer and browser typically only have root certificates installed, so since the server is not presenting the intermediate certificate, the chain of trust is incomplete and the validity of the server's certificate can not be verified. Some internet browsers see an incomplete certificate chain and will use AIA extensions to download the missing certificates. The design philosophy of Mozilla Firefox is not to do this. This is done by the Qualys SSL test when it shows "Extra download" next to the intermediate certificate. The RFC standard for X.509 specifically states that AIA extensions, "... may be included insubject or CA certificates, and it MUST be non-critical." Thus, you need to present a valid chain via the server if you want to ensure that all users can access your web server.
Thanks Brandon, much appreciated. What I don't understand is why it used to work fine, then apparently stopped.
It appears that you are running Apache 2.2.13. To add the intermediate certificate [1], you should use the SSLCertificateChainFile directive [2].
Yes, I did try this already, but it didn't seem to bring any improvement. I'll double check my config.
I highly suspect that the difference in behavior between the two versions of the browser is due to the caching nature of Firefox in regards to intermediate certificates. Mozilla Firefox will actually cache the intermediate certificates presented by a server and reuse them for different websites. Thus if you visit a site where the intermediate certificate is presented, your browser will use it for when the server at webmail.hostsuisse.com does not send the certificate.
Interesting idea - any possibility that such cached certificates might be stored as "Software Security Device" ?
To test this theory, I'd be curious to see if after visiting a site that does send the intermediate certificate, if you receive any errors when you try accessing your website. A website that does send this certificate is [3].
I'll try that right away.
This behavior might have changed in recent versions of Firefox as it is equally as bad as supporting AIA extensions for downloading certificates.
[1] http://swisssign.net/cgi-bin/authority/download/D3446FD9FE7AFCDEAC1C7AA2210D... [2] http://httpd.apache.org/docs/2.2/mod/mod_ssl.html [3] https://www.moster.info
Brandon Vincent
Thanks for taking the time to write all this up, especially in such a clear and concise manner. /Per -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
I highly suspect that the difference in behavior between the two versions of the browser is due to the caching nature of Firefox in regards to intermediate certificates. Mozilla Firefox will actually cache the intermediate certificates presented by a server and reuse them for different websites. Thus if you visit a site where the intermediate certificate is presented, your browser will use it for when the server at webmail.hostsuisse.com does not send the certificate.
Interesting idea - any possibility that such cached certificates might be stored as "Software Security Device" ?
I can confirm - after accessing https://www.moster.info/, the "Swisssign Server Silver CA 2008 G2" turned up in Firefox' certificate list as a "Software Security Device". It's a little bit confusing to find it stored like that, I think it would have been nice if it had been named "intermediate cache" or something like that. Anyay, many thanks to everyone who chipped in, it's been educational. -- Per Jessen, Zürich (7.4°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (8)
-
Brandon Vincent -
Christopher Myers -
Cristian Rodríguez -
David C. Rankin -
Florian Gleixner -
Marcus Meissner -
Per Jessen -
Wolfgang Rosenauer