subject:"\[galaxy\-dev\] Incorrect chain order for SSL certificates on Galaxy main"

[galaxy-dev] Incorrect chain order for SSL certificates on Galaxy main

2012-10-31 Thread Brad Chapman


Hi all;
I ran into SSL certification errors when using Java to connect to Galaxy
main via the API. My knowledge of this stuff is minimal, but I did some
searching and discovered that the certificate chain on Galaxy main is a problem:

https://www.ssllabs.com/ssltest/analyze.html?d=main.g2.bx.psu.edu

Looking at the chain with openssl shows a swap of the AddTrust and Internet2
certificates:

$ openssl s_client -connect main.g2.bx.psu.edu:443
CONNECTED(0003)
depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = 
AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/postalCode=16802/ST=PA/L=University Park/O=The Pennsylvania State 
University/OU=Center for Comparative Genomics and 
Bioinformatics/CN=bigsky.bx.psu.edu
   i:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External 
CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External 
CA Root
 2 s:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External 
CA Root
---

As a result, more picky verification mechanisms fail because of the self
signed certificate in the middle of the chain instead of as the root.

It appears you can fix this by adjusting the order of certificates
in nginx:

http://webmasters.stackexchange.com/questions/27842/how-to-prevent-ssl-certificate-chain-not-sorted/28074#28074
http://nginx.org/en/docs/http/configuring_https_servers.html#chains

Hope this helps,
Brad
___
Please keep all replies on the list by using reply all
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/

Re: [galaxy-dev] Incorrect chain order for SSL certificates on Galaxy main

2012-10-31 Thread Nate Coraor

On Oct 31, 2012, at 8:55 AM, Brad Chapman wrote:

 
 Hi all;
 I ran into SSL certification errors when using Java to connect to Galaxy
 main via the API. My knowledge of this stuff is minimal, but I did some
 searching and discovered that the certificate chain on Galaxy main is a 
 problem:
 
 https://www.ssllabs.com/ssltest/analyze.html?d=main.g2.bx.psu.edu
 
 Looking at the chain with openssl shows a swap of the AddTrust and Internet2
 certificates:
 
 $ openssl s_client -connect main.g2.bx.psu.edu:443
 CONNECTED(0003)
 depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = 
 AddTrust External CA Root
 verify error:num=19:self signed certificate in certificate chain
 verify return:0
 ---
 Certificate chain
 0 s:/C=US/postalCode=16802/ST=PA/L=University Park/O=The Pennsylvania State 
 University/OU=Center for Comparative Genomics and 
 Bioinformatics/CN=bigsky.bx.psu.edu
   i:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External 
 CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External 
 CA Root
 2 s:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External 
 CA Root
 ---
 
 As a result, more picky verification mechanisms fail because of the self
 signed certificate in the middle of the chain instead of as the root.
 
 It appears you can fix this by adjusting the order of certificates
 in nginx:
 
 http://webmasters.stackexchange.com/questions/27842/how-to-prevent-ssl-certificate-chain-not-sorted/28074#28074
 http://nginx.org/en/docs/http/configuring_https_servers.html#chains
 
 Hope this helps,
 Brad

Hi Brad,

Thanks for catching this.  It's been fixed.

--nate

 ___
 Please keep all replies on the list by using reply all
 in your mail client.  To manage your subscriptions to this
 and other Galaxy lists, please use the interface at:
 
  http://lists.bx.psu.edu/


___
Please keep all replies on the list by using reply all
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/

[galaxy-dev] Incorrect chain order for SSL certificates on Galaxy main

Re: [galaxy-dev] Incorrect chain order for SSL certificates on Galaxy main

2 matches

Site Navigation

Mail list logo

Footer information