 justinAustralian
join:1999-05-28
New York, NY
kudos:7 | reply to nwrickert
Re: New SSL Cert Problem Report weird. I'll look at it again sometime soon. I'm out of ideas. |
|
 nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7
 ·AT&T U-Verse
1 edit | Using openssl on linux, I tried the command:
openssl s_client -CAfile gd-class2-root.crt -connect secure.dslreports.com:443
Here is the beginning of the output:
CONNECTED(00000003)
depth=0 /O=secure.dslreports.com/OU=Domain Control Validated/CN=secure.dslreports.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /O=secure.dslreports.com/OU=Domain Control Validated/CN=secure.dslreports.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /O=secure.dslreports.com/OU=Domain Control Validated/CN=secure.dslreports.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/O=secure.dslreports.com/OU=Domain Control Validated/CN=secure.dslreports.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
I then tried:
openssl s_client -CAfile gd-class2-root.crt -connect certificates.godaddy.com:443
and the corresponding part of the output is:
CONNECTED(00000003)
depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=certificates.godaddy.com/1.3.6.1.4.1.311.60.2.1.2=AZ/1.3.6.1.4.1.311.60.2.1.3=US/serialNumber=0796928-7
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
---
As you can see, the Go Daddy site is presenting a longer certificate chain.
(added in edit) The file "gd-class2-root.crt" referenced in the openssl commands above, contains the GoDaddy Class 2 CA certificate as downloaded from GoDaddy, and should be the same as the certificate in the firefox store.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.4 |
|
nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7 | reply to justin
It seems to be working fine this morning. |
|
justinAustralian
join:1999-05-28
New York, NY
kudos:7 | yeah i found the problem the apache server needed the certificate chain installed on it, which I had to twice before I got it right! |
|
 NoVA_CoxUserStand back from the cage -- The RF bitesPremium
join:2004-07-06
Alexandria, VA | Nice work, thanks.  |
|
|
|
justinAustralian
join:1999-05-28
New York, NY
kudos:7 Host:
IPv6
Business Connectiv..
Console/Handheld g..
Console Tech
Home/Office setup ..
| Nice work would have been getting it right the first time.
By the way, when your ssl cert comes up for renewal, shop around. Its down to 17 bucks per year.. Rapidssl was spamming me rigid hoping I would renew with them for 49! Last year they were the cheapest.. |
|
| I get a Forbidden message when I go to »/
Is this still a work in progress? I don't see any link to it on the main page. |
|
justinAustralian
join:1999-05-28
New York, NY
kudos:7 | no, it isn't a work in progress, it is the url for secure login posting after you click to the 'secure' version of the login page. there are no pages to get from it. |
|
| said by justin:no, it isn't a work in progress, it is the url for secure login posting after you click to the 'secure' version of the login page. there are no pages to get from it. I guess what I'm saying is that I don't know how to "click to" the secure version of the login page. I don't see any links to a secure login page. |
|
nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7 Reviews:
·AT&T U-Verse
| If you click on "login" (without entering any login data), you get a page where there is a link for secure login.
When testing the CERT problem, I did just browse to "https://secure.dslreports.com", and ignored the "403 Forbidden" message.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.4 |
|
| Ah...that works, but it seems like it's a complicated way of doing things. |
|
NoVA_CoxUserStand back from the cage -- The RF bitesPremium
join:2004-07-06
Alexandria, VA
1 edit | said by steve1515:Ah...that works, but it seems like it's a complicated way of doing things. I don't understand how to "ignore" the 403 Forbidden page ...
... anyway ... I always use this URL »/login/?secure=1 for my DSLR logins.
Even though the page itself isn't SSL-secured, the username/password are transmitted using SSL. |
|
| said by NoVA_CoxUser:I don't understand how to "ignore" the 403 Forbidden page ... Here's how I had to do it...
On the main page, clear out my username from the user name box, then click the login button, it will take me to another login page that contains a link to login securely.
From there I can log in with SSL.
Now, I find this to be a lot of steps just to use SSL.
Also, like you say...the log in page isn't SSL-secured, but it should be. |
|
NoVA_CoxUserStand back from the cage -- The RF bitesPremium
join:2004-07-06
Alexandria, VA | said by steve1515: ... like you say...the log in page isn't SSL-secured, but it should be ... Agree.
That's the only way for a user to ensure that the site is "legit" prior to sending the form data (i.e. username / password). |
|
justinAustralian
join:1999-05-28
New York, NY
kudos:7 | Having a silently accepted SSL certificate is no guarantee of anything. Any phish site can be https. |
|
nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7 Reviews:
·AT&T U-Verse
| reply to NoVA_CoxUser
I don't understand how to "ignore" the 403 Forbidden page ... The certificate checks are done before you get that message. Thus if I was only testing whether there were certificate problems, I could use that url and pay no attention to the 403 error. That doesn't log me in, but it does test for certificate problems.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.4 |
|
NoVA_CoxUserStand back from the cage -- The RF bitesPremium
join:2004-07-06
Alexandria, VA
4 edits | reply to justin
said by justin:Having a silently accepted SSL certificate is no guarantee of anything. Any phish site can be https. Not sure what you mean by "silently accepted" ... but I assume that you mean when "joe average internet user" sees "the little lock" and automatically assumes that all's ok. (or worse ... blindly clicks "proceed" when alerted to a certificate/domain mismatch!  )
And you're 100% right about phishers using SSL. As you said, SSL certs can be obtained for $17!
But by providing a hierarchically-trusted SSL sign-in page, at least the more sophisticated users (e.g. the majority of DSLR users) could be provided an extra level of assurance that the signin page itself was legit and that it hadn't been somehow spoofed or redirected (e.g. by DNS poisoning, unauthorized host file modification, etc.).
Or am I missing something here ??? |
|
