dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1509

KahunaNui
join:2000-05-01
Honolulu, HI

KahunaNui

Member

Server Certificate Insanity - Chromium & XPPro

Aloha All!

Just about 2 weeks ago, none of my XP systems can access the startpage\ixquick.com search sites due to an invalid server certificate... but get this, it only happens with those two sites (so far) and only in chromium based browsers, including google chrome. Thus far, I've tried Iron, Epic and the aforementioned and I've tried older to the newest versions and even portable versions. I've clean uninstalled (cleaned registry etc.), but still it happens upon every new install.

I've emailed the support addresses for both along with screen shots but so far no response and no help to figure this out. I'm not so savvy with Chromium yet or Certs so I'm kinda stuck and really want to figure out why this just happened and see what I need to do to fix it.

Systems are totally clean. At first I suspected some kind of MIM attack but realized that with my present setup that would be darn near impossible. Nevertheless, I confirmed that this is not the case. Yet every single XP system is having the same problem.

So far, this isn't happening with Win7 Pro.

I was suspecting it was some kind of anti-XP tactic, but why only those two sites (they are related) and why just now? No system changes on my end. It's a total mystery to me. Every other browser shows their certs to be valid and up to date. Again no other https sites give us this problem in Chromium browsers. Other browsers are Opera, Moz FF & SM...er, I don't do IE.

Setup is a simple small WG - Zyxel usg security gateway - - There is nothing else noticeably amiss except this.

Thanks in advance for any ideas, help or information on this issue.
I can post screen shots if needed, but they are only the standard 'Invalid Server Certificate' warnings and since the sites are encrypted, I cannot proceed.

Thanks again for any help!

maartena
Elmo
Premium Member
join:2002-05-10
Orange, CA

1 recommendation

maartena

Premium Member

Most websites are ran using TLS 1.0 SSL security, but a recent bug in SSL called "heartbleed" has made many sites make major changes. Most sites simply patched their TLS 1.0, and moved on. Many sites however upgraded to TLS 1.2.

The problem, in this case, is Windows XP. It does not support the newer TLS 1.1 and 1.2 natively, although an update for Internet Explorer 8 (not 7 or 6) is available. TLS 1.2 was released after mainstream support ended for Windows XP.

With the heartbleed security flaw, many websites that before had been reluctant to upgrade to TLS 1.2 (for one because of the poor support in older OS-es and browsers), are now doing so since those old OS-es and browsers are out of support.

ixquick.com indeed uses TLS 1.2 as their security protocol, and there is the where the problem lays. I suspect that Chromium uses the OS supported root certificate TLS level, while some browsers may use their own root certificates. It is also possible that Chrome simply is setup to not support TLS 1.2 on Windows XP, simply because Microsoft doesn't support it.

Right now the problem is not that big, but as more and more sites update to TLS 1.2, you will run into problems with Windows XP.

Solutions:

- Upgrade the Windows XP workstations to Windows 7.
- Use a different browser, if they work. Internet Explorer 8 does work, but since you don't use that browser, perhaps Firefox is a better solution.

Your best bet is probably using Windows 7, and leave the now 13 year old XP in the past. Eventually you are going to have to anyways, and now that XP is out of support, you will start to run into these kinds of problems.

therube
join:2004-11-11
Randallstown, MD

therube to KahunaNui

Member

to KahunaNui
> none of my XP systems can access the StartPage \ Ixquick search sites due to an invalid server certificate

No such issues here with Chrome & XP.
Suppose Chrome has a method to create a new Profile?
Create a new Profile.
Does the issue persist?

KahunaNui
join:2000-05-01
Honolulu, HI

KahunaNui

Member

I'm very excited and thankful to find our esteemed 'therube' chime in here!
Thank you very much for that confirmation as it's been difficult to get that input from outside our net. At least it's been slow in coming.

Now maartena has offered a very interesting scenario which would fit with the time table of when this started. Because we've actually been following this 'heartbleed' since 2011 but it didn't seem to go 'viral' until just a few weeks ago. That would fit. But your confirmation that everything is ok with your system, makes me suspect that SP3 is the key.

therube, can you confirm whether or not you're running SP3? We're still at SP2 and only install SP3 when we absolutely need it (for certain temp software packages etc.). We partition and image everything so we can run SP3 systems when we need to. That may be the key here. I'll throw in an SP3 image and check but it would help if you can confirm what SP your XP system is running.

As far as the new profile idea, we've totally clean uninstalled and re-installed all chromium software we've been testing. Since we image we can easily perform these kinds of clean uninstalls\re-installs. I really think that SP3 [or perhaps some other updates since SP2] is the key here.

What maartena offers is spot on. Eventually it will be more and more difficult to keep using XP with the Internet. However, at the point were it becomes impossible, we'll probably completely go to Linux (probably Slackware) and not look back.

I can't thank you and maartena enough for your invaluable help and responses.

therube
join:2004-11-11
Randallstown, MD

therube

Member

Yes, XP SP3.

On the Mozilla end, some either [people] screw up their certificates or they end up with some sort of corruption dealing with certs. Testing in a new, clean Profile can help to point something like that out.
19579823 (banned)
An Awesome Dude
join:2003-08-04

4 edits

19579823 (banned) to maartena

Member

to maartena

quote:
With the heartbleed security flaw, many websites that before had been reluctant to upgrade to TLS 1.2 (for one because of the poor support in older OS-es and browsers), are now doing so since those old OS-es and browsers are out of support.

ixquick.com indeed uses TLS 1.2 as their security protocol, and there is the where the problem lays.
Yes well They shouldnt have changed thier TLS settings.... That IS NOT WHY THEY CHANGED THIER CERT (To try and block people) all they are doing is cutting people off which is severly ignorant on thier parts!! (No surprise seeing how things are going in the world)..... Sites that gets reports that people cant access them now SHOULD CHANGE THIER TLS SETTINGS BACK TO WHAT THEY HAD THEM AT!! -- NO REASON TO BE WILLINGLY BLOCKING PEOPLE!! (Not very nice)

IXQUICK.COM (startpage) loads instantly for me,im using IE6 sp1 (Well Im using MyIE2 9.27.68 (IE wrapper) which is an IE add on (It accesses the IE engine for page rendering,etc))
evoxllx
join:2007-06-07
Winter Park, FL

evoxllx

Member

said by 19579823:

Yes well They shouldnt have changed thier TLS settings.... That IS NOT WHY THEY CHANGED THIER CERT (To try and block people) all they are doing is cutting people off which is severly ignorant on thier parts!! (No surprise seeing how things are going in the world)..... Sites that gets reports that people cant access them now SHOULD CHANGE THIER TLS SETTINGS BACK TO WHAT THEY HAD THEM AT!! -- NO REASON TO BE WILLINGLY BLOCKING PEOPLE!! (Not very nice)

IXQUICK.COM (startpage) loads instantly for me,im using IE6 sp1 (Well Im using MyIE2 9.27.68 (IE wrapper) which is an IE add on (It accesses the IE engine for page rendering,etc))

Anyone using XP prior to SP3 with IE or Chrome will be unable to access any HTTPS sites eventually. Microsoft's SChannel doesn't support SHA-2 signed certificates prior to XP SP3 and large sites are already starting to migrate over to SHA-2.

The day will come when CAs will no longer issue SHA-1 signed certificates, just like what happened with MD5.

So enjoy things while you can, on your ancient setup with RC4 and 3DES ciphers.

KahunaNui
join:2000-05-01
Honolulu, HI

1 edit

KahunaNui

Member

Re: Server Certificate Insanity - Chromium & XPPro - SOLVED

BINGO! Solved with SP3.
Just shuffled in an SP3 image and even the older Iron install rendered the page correctly.

No doubt startpage\ixquick did change something as per maartena and evoxllx and broke the site for all of us lowly SP2 users. No doubt this will be happening more and more.

We wholeheartedly thank everyone for helping us sort this out. I feel foolish for not figuring it out on my own. Needed the 'push' from maartena and therube helped by providing another important clue.

We've seen the 'writing on the wall' and realized for some time now what we're in for by continuing to use XP especially with SP2.

QUESTION (especially to evoxllx)
Is there any patch we could install that would update\upgrade this without having to fully install SP3? I've got to ask, if I don't ask I'll never know.

P.S. It's interesting that their support team finally got in touch with us about this.
And they are still trying to figure it out.
It will be very interesting to see what they come up with.
KahunaNui

KahunaNui

Member

THIS is Getting Really Crazy

I'm cracking up here. Shortly after SP\IQ support team contacted us, we now have no problems accessing their pages using the chromium browsers, with SP2.

Ironically (this has to be irony at it's finest), the same problem erupted from dslr
Same Issuer (Go Daddy) with a thumbprint algorithm of sha1.
So now we can't access dslr with chromium browsers using SP2?
This is really getting interesting and more complex at the same time. Now I gotta check other chromium 'flavors' and\or shuffle those SP3 images back and check this further.
KahunaNui

KahunaNui

Member

Re: Server Certificate Insanity - DSLR

After shuffling IN the SP3 image we find we still cannot access DSLR with at least one version of chromium browser. Blockage is the same 'Invalid Server Certificate' issue.
However I'm unable to remember the last time I used chromium to access the dslr site.
It's quite possible that this issue existed for some time now without me knowing.
Checked other ssl sites with no problems (so far).

Can I assume the same isn't true for therube? Could you please confirm your results with the 'flavor' and version of chromium you are using? Thanks!

I highly suspect what was brought forth in this thread is an ongoing affair and changing rapidly. It's no wonder all these issues are going to pop up with [especially] older OS's. I'll bet Win7 won't have any of these issues. I'm going to confirm that tomorrow and do more research.
evoxllx
join:2007-06-07
Winter Park, FL

4 edits

evoxllx to KahunaNui

Member

to KahunaNui

Re: Server Certificate Insanity - Chromium & XPPro - SOLVED

said by maartena:

Most websites are ran using TLS 1.0 SSL security, but a recent bug in SSL called "heartbleed" has made many sites make major changes. Most sites simply patched their TLS 1.0, and moved on. Many sites however upgraded to TLS 1.2.

Heartbleed has nothing to do with any specific version of TLS, it has to do with specific versions of OpenSSL that have the heartbeat feature enabled.
said by maartena:

The problem, in this case, is Windows XP. It does not support the newer TLS 1.1 and 1.2 natively, although an update for Internet Explorer 8 (not 7 or 6) is available. TLS 1.2 was released after mainstream support ended for Windows XP.

With the heartbleed security flaw, many websites that before had been reluctant to upgrade to TLS 1.2 (for one because of the poor support in older OS-es and browsers), are now doing so since those old OS-es and browsers are out of support.

Right now the problem is not that big, but as more and more sites update to TLS 1.2, you will run into problems with Windows XP.

It's true that XP+IE doesn't support TLS 1.1 or 1.2, in fact, with older versions of IE, it doesn't even enable TLS 1.0, by default.

I also foresee another compatibility issue for XP+IE users in the near future, seeing how XP+IE really only supports two ciphers, RC4 and 3DES. Support for both are being phased out on various websites, not to mention RC4 being completely insecure.

Also, just because a site supports TLS 1.1 or 1.2, doesn't mean XP+IE users can't access it. They just won't be able to use those newer protocols, assuming the site also supports SSLv3 or TLS 1.0 as well.
said by maartena:

ixquick.com indeed uses TLS 1.2 as their security protocol, and there is the where the problem lays. I suspect that Chromium uses the OS supported root certificate TLS level, while some browsers may use their own root certificates. It is also possible that Chrome simply is setup to not support TLS 1.2 on Windows XP, simply because Microsoft doesn't support it.

Chrome does use Microsoft's root store, but that's about where it ends. Chrome on XP does support TLS 1.1 and 1.2, as they currently use NSS for their SSL/TLS library, like Firefox also does.
said by maartena:

It does not support the newer TLS 1.1 and 1.2 natively, although an update for Internet Explorer 8 (not 7 or 6) is available.

- Use a different browser, if they work. Internet Explorer 8 does work, but since you don't use that browser, perhaps Firefox is a better solution.

IE8 doesn't support TLS 1.1 or 1.2 on XP.
said by KahunaNui:

Is there any patch we could install that would update\upgrade this without having to fully install SP3? I've got to ask, if I don't ask I'll never know.

While using IE or Chrome, the only way is by upgrading to SP3. You could also switch to a different browser that doesn't rely on Microsoft's root store, such as Firefox.
said by KahunaNui:

I'm cracking up here. Shortly after SP\IQ support team contacted us, we now have no problems accessing their pages using the chromium browsers, with SP2.

Ironically (this has to be irony at it's finest), the same problem erupted from dslr
Same Issuer (Go Daddy) with a thumbprint algorithm of sha1.
So now we can't access dslr with chromium browsers using SP2?
This is really getting interesting and more complex at the same time. Now I gotta check other chromium 'flavors' and\or shuffle those SP3 images back and check this further.

DSLR's certificate is signed with SHA-256, as are the GoDaddy intermediates they send.

»www.ssllabs.com/ssltest/ ··· orts.com

Of course, ssllabs is also signed with SHA-256 now, so you'd be unable to load that as well with SP2+IE or Chrome.
19579823 (banned)
An Awesome Dude
join:2003-08-04

1 edit

19579823 (banned) to KahunaNui

Member

to KahunaNui

quote:
I'm cracking up here. Shortly after SP\IQ support team contacted us, we now have no problems accessing their pages using the chromium browsers, with SP2.
I wonder if they set things back to the way they were (TLS settings)
evoxllx
join:2007-06-07
Winter Park, FL

evoxllx

Member

said by 19579823:

quote:
I'm cracking up here. Shortly after SP\IQ support team contacted us, we now have no problems accessing their pages using the chromium browsers, with SP2.
I wonder if they set things back to the way they were (TLS settings)

I doubt it had anything to do with their TLS settings, as Chrome supports all versions of TLS on XP.

My guess is they previously had a SHA-2 signed certificate, then started getting complaints from users who were on XP SP2 and decided to issue a new certificate with a SHA-1 signature instead.

It would certainly not be the first time this has happened, fanfiction.net actually did the exact same thing.

Thankfully, a growing number of large sites are deciding that enough is enough, it's time to deny the irresponsible people who refuse to apply updates.

KahunaNui
join:2000-05-01
Honolulu, HI

KahunaNui

Member

quote:
My guess is they previously had a SHA-2 signed certificate, then started getting complaints from users who were on XP SP2 and decided to issue a new certificate with a SHA-1 signature instead.

It would certainly not be the first time this has happened, fanfiction.net actually did the exact same thing.
fanfiction gives us a similar warning but allows us to continue.
quote:
While using IE or Chrome, the only way is by upgrading to SP3.
I'm surprised that even with SP3, we still are unable to access dslr (haven't tried the ssllabs site which is inaccessible w/SP2).
Again this is only with Chromium browsers so far, as we don't do 'IE'.

Thanks again for all this helpful input!
19579823 (banned)
An Awesome Dude
join:2003-08-04

19579823 (banned)

Member

Maybe Justin is very busy and hasnt gotton round to editing the cert....... I dont see any reason why he shouldnt fix it....... Who cares who wants to connect here?? -- Justin wasnt ever affected by this heartbleed thing I dont think,WHY DID HE EVEN CHANGE IT?? (Problems where there wasnt any)

When I goto fanfiction I just get an alert saying I do not have thier cert in my library.. (I can still click YES and load the cert (W/o having to install it))
evoxllx
join:2007-06-07
Winter Park, FL

evoxllx to KahunaNui

Member

to KahunaNui
said by KahunaNui:

quote:
My guess is they previously had a SHA-2 signed certificate, then started getting complaints from users who were on XP SP2 and decided to issue a new certificate with a SHA-1 signature instead.

It would certainly not be the first time this has happened, fanfiction.net actually did the exact same thing.
fanfiction gives us a similar warning but allows us to continue.
quote:
While using IE or Chrome, the only way is by upgrading to SP3.
I'm surprised that even with SP3, we still are unable to access dslr (haven't tried the ssllabs site which is inaccessible w/SP2).
Again this is only with Chromium browsers so far, as we don't do 'IE'.

Thanks again for all this helpful input!

If you can't access it (even on SP3), the issue is likely unrelated to SHA-2 signed certificates.

Fanfiction doesn't even have a SHA-2 signed certificate anymore.

Perhaps your root store is severely outdated or corrupt. This has been known to happen with XP.

If it's just outdated, you could try updating it with Microsoft's updater.

»www.microsoft.com/en-us/ ··· id=41084

therube
join:2004-11-11
Randallstown, MD

therube to KahunaNui

Member

to KahunaNui
> we still are unable to access dslr

XP SP3
Chrome 34.0.1847.131

URL: http s://secure.dslreports.com/

No problems.

Edit: had to break the (s)ecure link, otherwise it wasn't displaying

Candle
Like a candle in the wind
Premium Member
join:2007-08-13
Fosston, MN

Candle to KahunaNui

Premium Member

to KahunaNui

Re: Server Certificate Insanity - Chromium & XPPro

check the date on your computer. is it the right day?

KahunaNui
join:2000-05-01
Honolulu, HI

KahunaNui to therube

Member

to therube

Re: ‏

quote:
XP SP3 Chrome 34.0.1847.131
URL: http s://secure.dslreports.com/
No problems.
THANKS therube!
I'm starting to believe the link evoxllx so nicely provided could help.
Going to give it a shot and report back (thanks evoxllx! )
KahunaNui

KahunaNui to Candle

Member

to Candle

Re: Server Certificate Insanity - Installing Root Stores Update Correctly?

Sorry Candle - I somehow missed this
"check the date on your computer. is it the right day?"

We sync the systems automatically. Date\time are correct on all.
That was one of the first things we checked.

Startpage confirmed they "...made some changes..." and further offered this:
"We believe the issue relates to Chromium's handling of SHA-1 and SHA-2 certificates."

As per evoxllx's tip*:
Applied\installed the root stores updates to both sp2 & sp3 systems with varied results.
Access was restored to some sites while others were still inaccessible.
In the meantime, we're having this issue now with more sites.
The writing is definitely on the wall with this.

* Not sure if this update even installed correctly.
Unlike so many hotfixes\patches from MS this one didn't prompt us at all.
Can anyone confirm how to install this? Double clicking the exe did nothing and discovered it's an archive.
So I unarchived and did an 'inf install' by right clicking inf file and chose "install".
After a long wait with no confirmation I rebooted system. How can I confirm this was installed?
If I knew where the root stores were er, stored, I could check that way?

Thanks for all the helpful input
KahunaNui

KahunaNui to therube

Member

to therube

Re: ‏

Hello therube!
Very interesting, the url we have problems with is not that one.
It's this one: htt s://www.dslreports.com
In fact that one comes up as untrusted in Mozilla (FF & SM) as well.

We've now discovered that we are having this issue with other sites.
At first it was confined to startpage\ixquick but then found out about dslr.
Now it's popping up in other secure sites.

After getting a confirmation on how to install the root stores update,
we'll try upgrading our chrome.

So you don't ever have this problem with any other secure sites in Chrome?
Can I send you some urls to check? Unfortunately, I lost the list of the others that denied access. I'll list some of them later and see. Would it be better to pm you with them?

Thank You
evoxllx
join:2007-06-07
Winter Park, FL

evoxllx

Member

said by KahunaNui:

Hello therube!
Very interesting, the url we have problems with is not that one.
It's this one: htt s://www.dslreports.com
In fact that one comes up as untrusted in Mozilla (FF & SM) as well.

We've now discovered that we are having this issue with other sites.
At first it was confined to startpage\ixquick but then found out about dslr.
Now it's popping up in other secure sites.

After getting a confirmation on how to install the root stores update,
we'll try upgrading our chrome.

So you don't ever have this problem with any other secure sites in Chrome?
Can I send you some urls to check? Unfortunately, I lost the list of the others that denied access. I'll list some of them later and see. Would it be better to pm you with them?

Thank You

The DSLR warning you get for (https) www.dslreports.com is actually normal. Their certificate is only valid for secure.dslreports.com.

If you post the other sites, I can tell you if I see anything that might be causing it.

KahunaNui
join:2000-05-01
Honolulu, HI

KahunaNui

Member

Other SSL Sites

quote:
The DSLR warning you get for (https) www.dslreports.com is actually normal. Their certificate is only valid for secure.dslreports.com.

If you post the other sites, I can tell you if I see anything that might be causing it.
Awesome evoxllx! Your wish is my command. Working on another project but will check out some of those sites ASAP.

Thank you very much!