On 03/12/2015 07:28 AM, Dan Ritter wrote:
On Thu, Mar 12, 2015 at 12:00:59AM -0400, Bill Horne wrote:
I've come across an odd problem with Rekonq, and I'm looking for help.
I have a real SSL certificate for my website, billhorne.com. It
shows, as is expected, a padlock icon when I go to
https://billhorne.com/ .
Except when I use Rekonq, and then the KDE browser gives me an
untrusted error, saying that the root CA certificate is not
trusted for this use. Google searches show that it's a known
problem, but the only pages I found were of suggestions that there
was a MITM attack in progress or warning against using a self-signed
cert.
I took a screen shot of the deails page: it's at
https://billhorne.com/snapshot1.png . All suggestions are welcome,
and thank you in advance.
https://www.ssllabs.com/ssltest/analyze.html?d=billhorne.comlatest
You probably have some certificate chain problems that Rekonq is
sensitive to.
Yes, specifically, Bill is sending a GeoTrust Global CA cert signed by
a weak (1024-bit) EquiFax CA. He is also not sending the RapidSSL
intermediate cert. So Rekonq could be upset at the broken chain or
possibly the partial chain being untrustworthy.
Replacing your chain with the RapidSSL SHA256 CA - G3 cert with
fingerprint 0e34141846e7423d37f20dc0ab06c9bbd843dc24 should resolve
this. (Can be found here:
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=contentactp=CROSSLINKid=SO26457)
You support weak algorithms -- try:
SSLCipherSuite ALL:!ADH:RC4:+HIGH:+MEDIUM:!LOW:!EXP:!AECDH
SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression off
With RC4, you have some weakness, but without RC4, you'll lose a
lot of older browsers. In a year or three you can probably drop
that, too.
If it's a personal website, I don't see much disadvantage to dropping
these. If somebody complains they can't see it, maybe consider
reenabling RC4, but if you don't need to worry about losing business
from people running XP, there's no need to preemptively weaken.
On sites where I'm interested in making sure friends and family can
connect, this is my suite:
EECDH:EDH:!MEDIUM:!LOW:!EXP:!DSS:!aNULL:!eNULL:!RC4:!3DES:!SEED:!MD5
Again, though, I'm interested in personal users who have almost
certainly upgraded machines in the last 5 years, not corporate clients
who may be running early-00's tech.
And when you renew the cert, you should get SHA2 instead of
SHA1.
Bill's is SHA2. It's the chain that's not.
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss
