FIXED - Re: Broken SSL cert caused by router?

Doug Barton dougb at dougbarton.us
Sat Mar 28 19:32:04 UTC 2015


On 3/28/15 9:05 AM, Mike wrote:
> I went back to Frank's list and did some additional testing. I have a
> different server which was set up the same way as the previous one
> discussed, and I thought I would use the above tools and see if my
> problem would have been identified by any of them. I am sorry to report,
> no, none of these either caught the problem either. Although I still do
> not fully understand the dependencies involved, it seems that if my
> server was failing to supply the full certificate chain, and the browser
> was compensating for it by (attempting?) to load the missing certificate
> from elsewhere,  and this Meraki router was somehow able to confound
> that process, that would be an issue worthy of exploring more. I
> certainly don't blame these ssl check sites but clearly theres more
> checks needed.

The Qualsys site (https://www.ssllabs.com/ssltest/analyze.html) will 
report whether or not the server supplied the intermediate cert. But I 
agree with you that the other tools should make a bigger deal about it 
if the server doesn't supply it.

FWIW, it's been the CW to do this for some time now, as there are 
systems like the one you've run into that were designed before 
intermediate certs were commonplace, and don't know how to handle them.

I've also experienced situations where an enterprise purchases a DV 
certificate to be used on an offline system, and while that system has 
access to the "root" CA certs, it cannot retrieve the intermediate cert. 
Having the end system supply the intermediate cert as well solves this 
issue.

The method of supplying the intermediate cert is simple, just append the 
intermediate certificate to the end of the file with your server 
certificate (the .crt file). Any reasonably modern software will handle 
that transparently, and provide the intermediate cert along with the 
server cert when doing its business.

hope this helps,

Doug

-- 
I am conducting an experiment in the efficacy of PGP/MIME signatures. 
This message should be signed. If it is not, or the signature does not 
validate, please let me know how you received this message (direct, or 
to a list) and the mail software you use. Thanks!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20150328/d19d981e/attachment.pgp>


More information about the NANOG mailing list