I don't know how I missed this before, but the issuer of cert 0 does not match the subject of cert 1 in the chain (G3 vs G5):
0 s:/C=NO/ST=Norway/L=Oslo/O=EVRY AS/OU=Terms of use at www.verisign.com/rpa (c)05/CN=bankportal.preprod.evry.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority that would seem to be the problem here -bri On Tue, Nov 12, 2013 at 12:29 AM, Sondre Mære Overskaug <[email protected]> wrote: > The site does not work in the Android browser. When I press "View > certificate" this is what I see: > > Common name: > bankportal.preprod.evry.com (this is the same as the URL I am trying to > reach) > > Organisation: EVRY AS > > Organisational unit: > Terms of use at www.verisign.com/rpa (c)05 > > Issued by: > Common name: > VeriSign Class 3 International Server CA - G3 > > Organisation: > VeriSign, Inc > > Organisational unit: > VeriSign Trust Network > > Validity: > > Issued on: > 17/09/2013 > > Expires on: > 18/10/2014 > > And here is the certificates: > > Certificate chain > 0 s:/C=NO/ST=Norway/L=Oslo/O=EVRY AS/OU=Terms of use at > www.verisign.com/rpa (c)05/CN=bankportal.preprod.evry.com > i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at > https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server > CA - G3 > -----BEGIN CERTIFICATE----- > MIIFcjCCBFqgAwIBAgIQFvVcSSJbF5BMJLblxQk/4zANBgkqhkiG9w0BAQUFADCB > vDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL > ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug > YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMt > VmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMB4X > DTEzMDkxNzAwMDAwMFoXDTE0MTAxNzIzNTk1OVowgZoxCzAJBgNVBAYTAk5PMQ8w > DQYDVQQIEwZOb3J3YXkxDTALBgNVBAcUBE9zbG8xEDAOBgNVBAoUB0VWUlkgQVMx > MzAxBgNVBAsUKlRlcm1zIG9mIHVzZSBhdCB3d3cudmVyaXNpZ24uY29tL3JwYSAo > YykwNTEkMCIGA1UEAxQbYmFua3BvcnRhbC5wcmVwcm9kLmV2cnkuY29tMIIBIjAN > BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzTLg1+OlcWSjAXDvBhESgGq42VKV > tMnP/m74JTVuOHTCnkRzc/bakycqtPx5IVM4IeDpS03+F0n33HJ8VHVLUUEF7aQi > qQXxY+x3XP5QRdAM6GQJswo9xFBUMqgjymzLSUsL8MjUsUAnNRPH7jazb10OX49t > Ozm6NOQNfxhqGsTSAtGsE7dEE5HlfXS0Qc6ofk7e0Yre5onQwDndeDpopwyYvW8x > NxztzdO20APo157NsNqpeLK2p6E4PQKwT1q4qSO9z1kdDXxEeKuHCHT6iVaZE2gd > YdWPvdlkQjkKWJyb75kF+JLZ9fPtXDbZ7HZuwfQeLjgcCdKTwfb+skFhtQIDAQAB > o4IBjjCCAYowJgYDVR0RBB8wHYIbYmFua3BvcnRhbC5wcmVwcm9kLmV2cnkuY29t > MAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMEMGA1UdIAQ8MDowOAYKYIZIAYb4 > RQEHNjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3Bz > MEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9TVlJJbnRsLUczLWNybC52ZXJpc2ln > bi5jb20vU1ZSSW50bEczLmNybDAoBgNVHSUEITAfBggrBgEFBQcDAQYIKwYBBQUH > AwIGCWCGSAGG+EIEATAfBgNVHSMEGDAWgBTXm3zYIqAV992tX84pm1jDvEYAtTBy > BggrBgEFBQcBAQRmMGQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWdu > LmNvbTA8BggrBgEFBQcwAoYwaHR0cDovL1NWUkludGwtRzMtYWlhLnZlcmlzaWdu > LmNvbS9TVlJJbnRsRzMuY2VyMA0GCSqGSIb3DQEBBQUAA4IBAQBO2gCFzxsLDLlO > CQmRSn2URT+Nry4w33AWl4glhQZtKOkHgDSPUkWrKQLndKw3KNZVnVLOHUEk+Mjn > 8ghvZuqmaAiGFKb2M44MuCxVYFx2hvtk6g+DEXIp6Nh3uLcQY1it386b2b8mqQJ6 > XtEMpxSo/qmcdeZwSNL8IYDj0XMMCGSu0zpeT/GSDkN/wEyICmkRMO9tgOkB0bdY > WhU1uWFIFLxemFiFB/PBX/hdtaGzAws4BrkuJSOw90u/73GoJqlMYT205ivbrMm8 > bBXypXPWc/T5f8qCp4+KaZeAAlOXbVDL1KlVj2v6uWYP4nLpfdrJ4SgQFdzGJ+xK > 7Ly/zZE4 > -----END CERTIFICATE----- > 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, > Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary > Certification Authority - G5 > i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification > Authority > -----BEGIN CERTIFICATE----- > MIIEkDCCA/mgAwIBAgIQGwk7eGCW2je7pFGURsiWeDANBgkqhkiG9w0BAQUFADBf > MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT > LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw > HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx > FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz > dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv > ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz > IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi > MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8 > RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb > ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR > TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/ > Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH > iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB > AAGjggFbMIIBVzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0 > dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9 > BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy > aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI > KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU > j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t > L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v > b2NzcC52ZXJpc2lnbi5jb20wDQYJKoZIhvcNAQEFBQADgYEAo819HvfHdY1I51Y0 > TACQdalRpVbBbbz+9VMi6ZiirJp+cB6zjjtF44aVMdptTPs0UICWzSTyQN8EP+Jl > zjQiYRXqZnBk0vFu88oYWWpBRn6C3hmwcDFWaQ0M5h2dcVjczN5i9eF6EALYetw7 > +le9yemPRiE5n1FlTI46vihBcB0= > -----END CERTIFICATE----- > > kl. 20:24:54 UTC+1 torsdag 7. november 2013 skrev Brian Carlstrom følgende: >> >> openssl s_client -connect insert.correct.domain.here:443 -showcerts >> should let you capture the PEM of the certs in the chain, not just >> their name. >> >> does the site work in the Android browser? Could it be untrusted >> because the hostname doesn't match the cert, not because of the >> certificate chain? >> >> -bri >> >> >> On Thu, Nov 7, 2013 at 11:20 AM, Sondre Mære Overskaug >> <[email protected]> wrote: >> > Hi Brian, thanks for the reply. >> > >> > I did not type the domain since it is not reachable from the outside >> > anyways. It is in a private enterprise network. Regarding Android versjon i >> > use api level 15, which is Android 4.1.x. Is there some more information i >> > can produce to be able to verify your theory? >> > >> > Vennlig hilsen >> > Sondre Mære Overskaug >> > Systemansvarlig, Corporate Mobile >> > Self Service Corporate >> > >> > [email protected] >> > M +47 451 86 579 >> > >> >> Den 7. nov. 2013 kl. 20:01 skrev Brian Carlstrom <[email protected]>: >> >> >> >> What version of Android? I believe older versions of Android (perhaps >> >> 2.3 and earlier?) where sensitive that the CA bytes match, not just >> >> the CA public key. Some CAs have been reissued the CA certs which can >> >> be a problem. One of the old verisign ones as like this. >> >> >> >> if you would tell me the server name, I could verify this is the >> >> issue. But since you think that keeping your server name secret has >> >> anything to do with the security of the server, I can't help you >> >> further. >> >> >> >> -bri >> >> >> >> On Sat, Nov 2, 2013 at 5:23 AM, Sondre Mære Overskaug >> >> <[email protected]> wrote: >> >>> Hi! >> >>> >> >>> I am currently developing a hybrid Android-app using the WebView >> >>> component. >> >>> I am struggling with a SSL-certificate on my domain hosting the >> >>> webapp/webpage. >> >>> >> >>> I am getting a SslError.SSL_UNTRUSTED exception when trying to open >> >>> the >> >>> webapp in my WebView. >> >>> The cerfiticate which triggers the exception is (I have removed the >> >>> actual >> >>> domain from the chain for security reasons): >> >>> >> >>> Certificate: Issued to: CN=insert.correct.domain.here,OU=Terms of use >> >>> at >> >>> www.verisign.com/rpa (c)05,O=EVRY AS,L=Oslo,ST=Norway,C=NO; >> >>> Issued by: CN=VeriSign Class 3 International Server CA - >> >>> G3,OU=Terms >> >>> of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust >> >>> Network,O=VeriSign\, Inc.,C=US; >> >>> >> >>> Here is the certificate chain from my domain: >> >>> >> >>> Certificate chain >> >>> 0 s:/C=NO/ST=Norway/L=Oslo/O=EVRY AS/OU=Terms of use at >> >>> www.verisign.com/rpa (c)05/CN=insert.correct.domain.here >> >>> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use >> >>> at >> >>> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International >> >>> Server >> >>> CA - G3 >> >>> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 >> >>> VeriSign, >> >>> Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary >> >>> Certification Authority - G5 >> >>> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification >> >>> Authority >> >>> >> >>> I have scoured the web, and finally found a reply from a google >> >>> employee >> >>> stating that these root certificates from VeriSign are supported by >> >>> Android. >> >>> >> >>> 524d9b43.0: Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust >> >>> Network, OU=(c) 2008 VeriSign, Inc. - For authorized use only, >> >>> CN=VeriSign >> >>> Universal Root Certification Authority >> >>> 5e4e69e7.0: Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust >> >>> Network, OU=(c) 2007 VeriSign, Inc. - For authorized use only, >> >>> CN=VeriSign >> >>> Class 3 Public Primary Certification Authority - G4 >> >>> 72fa7371.0: Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public >> >>> Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For >> >>> authorized use only, OU=VeriSign Trust Network >> >>> 7651b327.0: Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public >> >>> Primary Certification Authority >> >>> 7d453d8f.0: Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust >> >>> Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, >> >>> CN=VeriSign >> >>> Class 3 Public Primary Certification Authority - G3 >> >>> c527e4ab.0: Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust >> >>> Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, >> >>> CN=VeriSign >> >>> Class 4 Public Primary Certification Authority - G3 >> >>> ed049835.0: Subject: C=US, O=VeriSign, Inc., OU=Class 4 Public >> >>> Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For >> >>> authorized use only, OU=VeriSign Trust Network >> >>> facacbc6.0: Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust >> >>> Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, >> >>> CN=VeriSign >> >>> Class 3 Public Primary Certification Authority - G5 >> >>> >> >>> As far as I can see (I am no certificate expert), there should be no >> >>> problem >> >>> with our certificate chain? >> >>> >> >>> -- >> >>> You received this message because you are subscribed to the Google >> >>> Groups >> >>> "Android Security Discussions" group. >> >>> To unsubscribe from this group and stop receiving emails from it, send >> >>> an >> >>> email to [email protected]. >> >>> To post to this group, send email to >> >>> [email protected]. >> >>> Visit this group at >> >>> http://groups.google.com/group/android-security-discuss. >> >>> For more options, visit https://groups.google.com/groups/opt_out. > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to > [email protected]. > Visit this group at http://groups.google.com/group/android-security-discuss. > For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
