[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows
From: Andrew Lewman <andrew@xxxxxxxxxxxxxx>
Date: Wed, 4 Jan 2012 21:51:47 -0500
Authentication-results: lewman.is;
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 04 Jan 2012 21:52:05 -0500
In-reply-to: <CAM8WWJAWtsQqxpSA3y+J1ebUKwnXiXoAA696VAt0xTa4b_xL5Q@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Organization: The Tor Project, Inc.
References: <CAM8WWJCvDein=YuVLa71u8dcLmPtpv6AFm7GxiXmex9LRudLjQ@xxxxxxxxxxxxxx> <4F04B22A.9040205@xxxxxxxxx> <4F04B4CD.2070805@xxxxxxxxxxxxxxxxxxxxx> <4F04B6D6.6090500@xxxxxxxxxxxxxxxxxxxxx> <4F04C958.2020009@xxxxxxxxx> <CAM8WWJAWtsQqxpSA3y+J1ebUKwnXiXoAA696VAt0xTa4b_xL5Q@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

I think this is fixed for www.torproject.org now. Digicert apparently
updated their ca chained certs at some point. I've put the updated
ca-certs on the www servers. If this works, we can update them on all
torproject servers.

And for fun, I've attached the gnutls-cli output of the old cert in
place and the new cert in place.

tl;dr we went from:
our cert -> DigiCert High Assurance CA-3 

to now:
cert -> DigiCert High Assurance CA-3 -> DigiCert High Assurance EV Root
CA

I couldn't replicate the problem in Chromium, FF9, nor whatever version
of android i have on an obsolete phone.

-- 
Andrew
http://tpo.is/contact
pgp 0x74ED336B

gnutls-cli www.torproject.org                                                                                                                   
Resolving 'www.torproject.org'...
Connecting to '38.229.72.14:443'...
- Session ID: 57:5F:06:07:51:0A:04:4E:4E:27:EC:7F:FB:E3:FF:3C:CA:8D:A2:93:43:92:4B:09:20:34:64:B7:01:59:D8:FE
- Certificate type: X.509
 - Got a certificate list of 3 certificates.
 - Certificate[0] info:
  - subject `C=US,ST=Massachusetts,L=Walpole,O=The Tor Project\, Inc.,CN=*.torproject.org', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3', RSA key 2048 bits, signed using RSA-SHA256, activated `2011-02-15 00:00:00 UTC', expires `2013-04-19 23:59:59 UTC', SHA-1 fingerprint `a7e70f8a648fe04a9677f13eedf6f91b5f7f2e25'
 - Certificate[1] info:
  - subject `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2007-04-03 00:00:00 UTC', expires `2022-04-03 00:00:00 UTC', SHA-1 fingerprint `a2e32a1a2e9fab6ead6b05f64ea0641339e10011'
 - Certificate[2] info:
  - subject `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA', issuer `C=US,O=Entrust.net,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Secure Server Certification Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2006-10-01 05:00:00 UTC', expires `2014-07-26 18:15:15 UTC', SHA-1 fingerprint `918da5e499c15f7c6275b124fede53357c34bd36'
- The hostname in the certificate matches 'www.torproject.org'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1016 bits
 - Peer's public key: 1019 bits
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

gnutls-cli www.torproject.org                                                                                                           
Resolving 'www.torproject.org'...
Connecting to '38.229.72.14:443'...
- Session ID: FE:5A:D0:67:F9:7C:2D:03:E8:F0:E2:35:38:2D:F4:D0:D9:32:F7:95:B1:D6:E6:2F:78:F2:2B:D8:64:EB:2E:D1
- Certificate type: X.509
 - Got a certificate list of 2 certificates.
 - Certificate[0] info:
  - subject `C=US,ST=Massachusetts,L=Walpole,O=The Tor Project\, Inc.,CN=*.torproject.org', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3', RSA key 2048 bits, signed using RSA-SHA256, activated `2011-02-15 00:00:00 UTC', expires `2013-04-19 23:59:59 UTC', SHA-1 fingerprint `a7e70f8a648fe04a9677f13eedf6f91b5f7f2e25'
 - Certificate[1] info:
  - subject `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2007-04-03 00:00:00 UTC', expires `2022-04-03 00:00:00 UTC', SHA-1 fingerprint `a2e32a1a2e9fab6ead6b05f64ea0641339e10011'
- The hostname in the certificate matches 'www.torproject.org'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1023 bits
 - Peer's public key: 1019 bits
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows
  - From: Greg
- Re: [tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows
  - From: Nick Mathewson

References:
- [tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows
  - From: Greg
- Re: [tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows
  - From: Ondrej Mikle
- Re: [tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows
  - From: Pascal
- Re: [tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows
  - From: Pascal
- Re: [tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows
  - From: Ondrej Mikle
- Re: [tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows
  - From: Greg

Prev by Author: Re: [tor-talk] Hoax?
Next by Author: Re: [tor-talk] tor transparent proxy security concerns (autostart and dns resolve for non-tor)
Previous by thread: Re: [tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows
Next by thread: Re: [tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows
Index(es):
- Author
- Thread