So we recently upgraded our SSL certificate to SHA256 to meet Google's new security policies, and now we're getting very isolated incidents where browsers do not trust the new certificate because the don't trust the CA that issued them. It first started from on a couple of our internal workstations but we now have a customer with the same issue. From what I can see, it looks like the browser is not seeing the first certificate in the chain, which is the Verisign root certificate, and then it doesn't trust the rest of the chain.
Here's what our correct chain looks like: [image: Inline image 1]
And here's what I see on the clients with the error: [image: Inline image 2]
Could it be an issue on the Apache end, or maybe an obscure issue with Internet explorer? It's odd that I don't even see the first certificate in the chain marked as invalid, I just don't see a certificate at all.
If anyone cares to give it try for themselves, https://www.mb.bluecross.ca let me know if you get an error.
-- Wyatt Zacharias
Works fine with all 3 browsers I tried ... chrome Firefox and ie ...
Dan
On Fri, Jun 12, 2015, 14:19 Wyatt Zacharias wyatt@magitech.ca wrote:
So we recently upgraded our SSL certificate to SHA256 to meet Google's new security policies, and now we're getting very isolated incidents where browsers do not trust the new certificate because the don't trust the CA that issued them. It first started from on a couple of our internal workstations but we now have a customer with the same issue. From what I can see, it looks like the browser is not seeing the first certificate in the chain, which is the Verisign root certificate, and then it doesn't trust the rest of the chain.
Here's what our correct chain looks like: [image: Inline image 1]
And here's what I see on the clients with the error: [image: Inline image 2]
Could it be an issue on the Apache end, or maybe an obscure issue with Internet explorer? It's odd that I don't even see the first certificate in the chain marked as invalid, I just don't see a certificate at all.
If anyone cares to give it try for themselves, https://www.mb.bluecross.ca let me know if you get an error.
-- Wyatt Zacharias
Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
Works fine on my Windows Vista 32-bit with up-to-date Firefox.
Hartmut W Sager - Tel +1-204-339-8331, +1-204-515-1701
On 12 June 2015 at 14:18, Wyatt Zacharias wyatt@magitech.ca wrote:
So we recently upgraded our SSL certificate to SHA256 to meet Google's new security policies, and now we're getting very isolated incidents where browsers do not trust the new certificate because the don't trust the CA that issued them. It first started from on a couple of our internal workstations but we now have a customer with the same issue. From what I can see, it looks like the browser is not seeing the first certificate in the chain, which is the Verisign root certificate, and then it doesn't trust the rest of the chain.
Here's what our correct chain looks like: [image: Inline image 1]
And here's what I see on the clients with the error: [image: Inline image 2]
Could it be an issue on the Apache end, or maybe an obscure issue with Internet explorer? It's odd that I don't even see the first certificate in the chain marked as invalid, I just don't see a certificate at all.
If anyone cares to give it try for themselves, https://www.mb.bluecross.ca let me know if you get an error.
-- Wyatt Zacharias
Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
On Jun 12, 2015, at 2:18 PM, Wyatt Zacharias wyatt@magitech.ca wrote:
So we recently upgraded our SSL certificate to SHA256 to meet Google's new security policies, and now we're getting very isolated incidents where browsers do not trust the new certificate because the don't trust the CA that issued them. It first started from on a couple of our internal workstations but we now have a customer with the same issue. From what I can see, it looks like the browser is not seeing the first certificate in the chain, which is the Verisign root certificate, and then it doesn't trust the rest of the chain.
Here's what our correct chain looks like: <image.png>
And here's what I see on the clients with the error: <image.png>
Could it be an issue on the Apache end, or maybe an obscure issue with Internet explorer? It's odd that I don't even see the first certificate in the chain marked as invalid, I just don't see a certificate at all.
If anyone cares to give it try for themselves, https://www.mb.bluecross.ca https://www.mb.bluecross.ca/ let me know if you get an error.
I pumped that URL into SSL Labs w/ hide results on so it wouldn’t put it on the public list of recent tests, and didn’t find any glaring errors: https://www.ssllabs.com/ssltest/analyze.html?d=mb.bluecross.ca&hideResul... https://www.ssllabs.com/ssltest/analyze.html?d=mb.bluecross.ca&hideResults=on
It lists a matrix of browsers near the bottom, and only iE6 on XP is incompatible w/ the SSL/TLS settings used. It also contains details on the certification chain(s). In this case there is only one chain, the intermediary isn’t cross-signed by another CA.
The only potential issue I can see is the full certification chain is all SHA256withRSA. Any browser/OS with old crypto that doesn’t know about SHA256 (IE6/XP, some combinations of windows 2003, probably others too) will probably have trouble validating this chain. Theres not much you can do about this though except encourage your customers to always run up to date browsers/OSs.
Which browser/OS combos aren’t working?
Theo
-
Dan Keizer -
Hartmut W Sager -
Theodore Baschak -
Wyatt Zacharias