[RndTbl] Browser not receiving entire certificate chain?

Theodore Baschak theodore at ciscodude.net
Sat Jun 13 01:41:07 CDT 2015


> On Jun 12, 2015, at 2:18 PM, Wyatt Zacharias <wyatt at magitech.ca> wrote:
> 
> So we recently upgraded our SSL certificate to SHA256 to meet Google's new security policies, 
> and now we're getting very isolated incidents where browsers do not trust the new certificate because
> the don't trust the CA that issued them. It first started from on a couple of our internal workstations
> but we now have a customer with the same issue. From what I can see, it looks like the browser is
> not seeing the first certificate in the chain, which is the Verisign root certificate, and then it doesn't
> trust the rest of the chain. 
> 
> Here's what our correct chain looks like: 
> <image.png>
> 
> And here's what I see on the clients with the error:
> <image.png>
> 
> Could it be an issue on the Apache end, or maybe an obscure issue with Internet explorer? 
> It's odd that I don't even see the first certificate in the chain marked as invalid, I just don't see
> a certificate at all.
> 
> If anyone cares to give it try for themselves, https://www.mb.bluecross.ca <https://www.mb.bluecross.ca/> let me know if you get
> an error. 

I pumped that URL into SSL Labs w/ hide results on so it wouldn’t put it on the public list of recent tests, and didn’t find any glaring errors:
https://www.ssllabs.com/ssltest/analyze.html?d=mb.bluecross.ca&hideResults=on <https://www.ssllabs.com/ssltest/analyze.html?d=mb.bluecross.ca&hideResults=on>

It lists a matrix of browsers near the bottom, and only iE6 on XP is incompatible w/ the SSL/TLS settings used. It also contains details on the certification chain(s). In this case there is only one chain, the intermediary isn’t cross-signed by another CA. 

The only potential issue I can see is the full certification chain is all SHA256withRSA. Any browser/OS with old crypto that doesn’t know about SHA256 (IE6/XP, some combinations of windows 2003, probably others too) will probably have trouble validating this chain. Theres not much you can do about this though except encourage your customers to always run up to date browsers/OSs. 

Which browser/OS combos aren’t working?

Theo

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.muug.mb.ca/pipermail/roundtable/attachments/20150613/097d8642/attachment.html>


More information about the Roundtable mailing list