On Sun, Mar 3, 2024 at 1:47 PM Marcelo Laia <marcelol...@gmail.com> wrote: > > Hello Debian users! > > When accessing the website https://gontijoonibus.gontijo.com.br/ on Firefox > Android (on my smartphone), the site is accessed normally. However, when > attempting to access this site on the desktop, Debian Firefox-ESR version > 115.8.0esr (64-bit), the following error occurs: > > Secure Connection Failed > An error occurred during a connection to gontijoonibus.gontijo.com.br. > The page you are trying to view cannot be displayed because the authenticity > of the received data could not be verified. > Please contact the website owners to inform them of this problem.
According to OpenSSL and the default CA list on Ubuntu 22.04, the connection looks Ok. The problem appears to be more than a simple problem connecting. If I had to hazard a guess, I would start with the wildcard in the Common Name (CN) shown below. I know the CA/Browser Baseline Requirements changed recently, and CN is now a SHOULD NOT. Wildcards have been frowned upon but not forbidden. Maybe the browsers are moving against wildcards in the CN now. Note: tooling, like cURL, OpenSSL and Wget follow the IETF's Internet PKI (PKIX). Browsers follow the CA/Browsers Baseline Requirements (Web PKI). They mostly overlap, but they have a fair amount of differences once you accumulate some knowledge about them. And the IETF lawyers wrote a nasty letter to the W3C a couple of years ago because the W3C was publishing incompatible standards. See <https://www.ietf.org/media/documents/2023.01.26_Correspondence_IETF.pdf>. And from my observations, the CA/Browser Forums have been doing the same thing. So I would not be surprised if there's an incompatible change between PKIX and Web PKI. <CODE> $ echo -e 'GET / HTTP/1.1\r\n\r\n' | openssl s_client -connect gontijoonibus.gontijo.com.br:443 -servername gontijoonibus.gontijo.com.br CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1 verify return:1 depth=0 CN = *.gontijo.com.br verify return:1 --- Certificate chain 0 s:CN = *.gontijo.com.br i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: May 9 00:00:00 2023 GMT; NotAfter: May 8 23:59:59 2024 GMT 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1 i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Nov 2 12:24:25 2017 GMT; NotAfter: Nov 2 12:24:25 2027 GMT 2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Aug 1 12:00:00 2013 GMT; NotAfter: Jan 15 12:00:00 2038 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIGITCCBQmgAwIBAgIQB7Bs73IlM/884Dqb8/YZoTANBgkqhkiG9w0BAQsFADBe MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMR0wGwYDVQQDExRUaGF3dGUgVExTIFJTQSBDQSBHMTAe Fw0yMzA1MDkwMDAwMDBaFw0yNDA1MDgyMzU5NTlaMBsxGTAXBgNVBAMMECouZ29u dGlqby5jb20uYnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNoYUM EjKsU7gHu5iZpkwZkwJGyMe1l5d1+YVUJLkB23vxGXxSRoYVOqhPR/sbvyue0FFA OwbKriu+XjXA/dCOC6hEX9UbvHK9i5YFaPbJIDkwZKuA3SltFSyJsuRNP7dpYEkY uxZ4pcLBtEAh9+im1g5l4ubrFDrxdr5Wvjne6viDyZ+40Alc+i1pirlymsD7k6tH 4bLaR+qopr6YqufzOkWlcodNbCnQ3TF1ZOVppwJDYvWaROQ8WcUC5c3v4TDYcXrq YasWMtN2GL+UwQL4Gc/q9slkpG1ML8lX50CwxhGAngjz8PdNq9ql+kHa9XfTx+5G DYrshriHimk9POppAgMBAAGjggMcMIIDGDAfBgNVHSMEGDAWgBSljP4yzOsPLNQZ xgi4ACSIXcPFtzAdBgNVHQ4EFgQUOgqjT5nVOc1VYZ8vm/Y80TI7UIEwKwYDVR0R BCQwIoIQKi5nb250aWpvLmNvbS5icoIOZ29udGlqby5jb20uYnIwDgYDVR0PAQH/ BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA7BgNVHR8ENDAy MDCgLqAshipodHRwOi8vY2RwLnRoYXd0ZS5jb20vVGhhd3RlVExTUlNBQ0FHMS5j cmwwPgYDVR0gBDcwNTAzBgZngQwBAgEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3 dy5kaWdpY2VydC5jb20vQ1BTMHAGCCsGAQUFBwEBBGQwYjAkBggrBgEFBQcwAYYY aHR0cDovL3N0YXR1cy50aGF3dGUuY29tMDoGCCsGAQUFBzAChi5odHRwOi8vY2Fj ZXJ0cy50aGF3dGUuY29tL1RoYXd0ZVRMU1JTQUNBRzEuY3J0MAkGA1UdEwQCMAAw ggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB2AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8 vOzew1FIWUZxH7WbAAABiABkUyYAAAQDAEcwRQIgfzcKflXhHpmu5GHg8S048cs8 vpP1gxpdWDsSoIW7iBICIQDMDeAMb6rf8XcdLAxVXeScb4DE6WI73WrxLuhijv7O +gB2AEiw42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABiABkUyUAAAQD AEcwRQIgP46qqZOnzi6Zp+F30GBTHY5LpCR9uL55MFTS+XnRsv0CIQDTC52xy9Gl xzzDqltvAGVq10MgnLY9rIvZMccRsEVgEAB2ANq2v2s/tbYin5vCu1xr6HCRcWy7 UYSFNL2kPTBI1/urAAABiABkUvIAAAQDAEcwRQIgAtm8xShzPd6lmxA4dGyZzQKa U6fmBbCDIkyqNnKgOtoCIQCx5g1X5GBvuqkBlQHIYeWQ4UB1tNEtYYN/z3D293Lf LTANBgkqhkiG9w0BAQsFAAOCAQEARpS7/BX4uVMvOMGfTo92uZNMozhWJzE+5o+k ARsyf8FPmTNjHs+Z6A+DWTQ/4AAJ+cRv9LJzHpXw4X/o3u6VF5+rma20q7eLupxg wR42zPCAw0SvfgbPvJsEZ/PE2ydOcWQ2Td3jr5ef/mxuyDxf3t7UvwMAVJLcZgHw eF+DSBvq+2T1td5/B8K85vjhF0PSjji39GH/aX//jv4m/lrplUTXu+dxFCoeMS1t yD2XppYHTThvxHjOEs77GnLcvZZqX+21+K7b8QqmzHidCAapVGBNiGoyMhVhZq7B aUH4Sou6JqALkvso5pLFdfk4Lg+sBpogecpqaK+W6SpBAAxoFQ== -----END CERTIFICATE----- subject=CN = *.gontijo.com.br issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 4224 bytes and written 410 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- DONE </CODE> Jeff
