> From: owner-openssl-us...@openssl.org On Behalf Of Carl Young > Sent: Tuesday, 18 June, 2013 07:10
> Sorry for top-post - webmail :( > > In TLS, the server should not send the root certificate - it > sends the chain up to, but not including, the root certificate. > > From (sorry) > http://technet.microsoft.com/en-us/library/cc783349(v=ws.10).aspx <snip> "should not" is a little strong. It doesn't NEED to -- the relier (here client) must never trust a root sent in the handshake -- but it does no harm other than wasting a little wire time. For client authentication when used the same is true the other direction. RFC5246 says the root "MAY be omitted". > From: owner-openssl-us...@openssl.org on behalf of Cristian > Thiago Moecke [cont...@cristiantm.com.br] > Sent: 18 June 2013 11:43 > > If the only certificate that is shown is the server > certificate, the server is not providing the certificate > chain, only the server certificate. This way, you wont be > able to get the CA certificate from the SSL connection. Maybe > your network admins want to fix that too. > If it's for his own company's servers, perhaps. If it's for ycombinator, probably not but see below. > > What is strange is that exceptions are not working as > expected. Is there any chance that the certificate is > changing from time to time? > I agree that is strange. See below. > On Tue, Jun 18, 2013 at 3:07 AM, A A <wemp...@gmail.com> wrote: > > > When I go to SSL site I see this message in fx: > > "You have asked Firefox to connect securely to > news.ycombinator.com, > > but we can't confirm that your connection is secure. <snip> > (Error code: sec_error_unknown_issuer)" > > And then I go to Add exception -> View -> Details tab -> Certificate > hierarchy but there is only news.ycombinator.com present. When I > export it and try to import it into fx I get: > > "This is not a certificate authority certificate, so it can't be > imported into the certificate authority list." > > So I think this is not CA certificate but a server certificate. > You're almost certainly right. If the cert Subject names the site and the Issuer names some CA, like the one I see just below, then it isn't a CA cert (and definitely not a root). But when *I* connect to news.ycombinator.com:443 with s_client I get a chain of 3, compressed for posting: 0 s:.../O=Y Combinator LLC/CN=news.ycombinator.com i:/C=US/O=Entrust, Inc./.../CN=Entrust Certification Authority - L1C 1 s:(same) i:/O=Entrust.net/.../CN=Entrust.net Certification Authority (2048) 2 s:(same) i:/C=US/.../CN=Entrust.net Secure Server Certification Authority No root for that chain is sent, but my Firefox (now 21) for that site finds a "shortcut" root (in "BuiltinTokenObject") instead of #2. This is most likely because "Secure Server Certification Authority" is 1024 bits, and when transitioning to 2048 they provided a "bridge" to the old root for reliers who don't have the new root but prefer the new root for "proper" 2048 security. #1 and #0 are both 2048. (The root for "Certification Authority (2048)" has notbefore in 1999, but I'm not convinced it was actually issued then.) Could you maybe be routed to a different machine? I got 184.172.10.74 . > And about recurring errors on the same site: I have a number of server > exceptions in "Servers" list under my company custom CA certificate in > Advanced -> View Certificates -> Servers. All of them are marked > "Permanent". Nevertheless, the error page I described above appears > from time to time even on sites that I have previously added to a > trusted list. It's extremely annoying and I don't know why this > happens. I use Firefox 21. > I agree with the previous responder: this is strange, unless the cert changed, and for that to happen often would be pretty odd. One possibility: could it be that (some of) the company servers are not single machines but "farms" or load-sharing or load-balancing systems, which have multiple physical machines that *should* all be using the same key-and-certificate but maybe aren't? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
