FIXED - Re: Broken SSL cert caused by router?
Doug Barton
dougb at dougbarton.us
Sat Mar 28 19:32:04 UTC 2015
On 3/28/15 9:05 AM, Mike wrote:
> I went back to Frank's list and did some additional testing. I have a
> different server which was set up the same way as the previous one
> discussed, and I thought I would use the above tools and see if my
> problem would have been identified by any of them. I am sorry to report,
> no, none of these either caught the problem either. Although I still do
> not fully understand the dependencies involved, it seems that if my
> server was failing to supply the full certificate chain, and the browser
> was compensating for it by (attempting?) to load the missing certificate
> from elsewhere, and this Meraki router was somehow able to confound
> that process, that would be an issue worthy of exploring more. I
> certainly don't blame these ssl check sites but clearly theres more
> checks needed.
The Qualsys site (https://www.ssllabs.com/ssltest/analyze.html) will
report whether or not the server supplied the intermediate cert. But I
agree with you that the other tools should make a bigger deal about it
if the server doesn't supply it.
FWIW, it's been the CW to do this for some time now, as there are
systems like the one you've run into that were designed before
intermediate certs were commonplace, and don't know how to handle them.
I've also experienced situations where an enterprise purchases a DV
certificate to be used on an offline system, and while that system has
access to the "root" CA certs, it cannot retrieve the intermediate cert.
Having the end system supply the intermediate cert as well solves this
issue.
The method of supplying the intermediate cert is simple, just append the
intermediate certificate to the end of the file with your server
certificate (the .crt file). Any reasonably modern software will handle
that transparently, and provide the intermediate cert along with the
server cert when doing its business.
hope this helps,
Doug
--
I am conducting an experiment in the efficacy of PGP/MIME signatures.
This message should be signed. If it is not, or the signature does not
validate, please let me know how you received this message (direct, or
to a list) and the mail software you use. Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20150328/d19d981e/attachment.sig>
More information about the NANOG
mailing list