[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows



I think this is fixed for www.torproject.org now. Digicert apparently
updated their ca chained certs at some point. I've put the updated
ca-certs on the www servers. If this works, we can update them on all
torproject servers.

And for fun, I've attached the gnutls-cli output of the old cert in
place and the new cert in place.

tl;dr we went from:
our cert -> DigiCert High Assurance CA-3 

to now:
cert -> DigiCert High Assurance CA-3 -> DigiCert High Assurance EV Root
CA

I couldn't replicate the problem in Chromium, FF9, nor whatever version
of android i have on an obsolete phone.

-- 
Andrew
http://tpo.is/contact
pgp 0x74ED336B
gnutls-cli www.torproject.org                                                                                                                   
Resolving 'www.torproject.org'...
Connecting to '38.229.72.14:443'...
- Session ID: 57:5F:06:07:51:0A:04:4E:4E:27:EC:7F:FB:E3:FF:3C:CA:8D:A2:93:43:92:4B:09:20:34:64:B7:01:59:D8:FE
- Certificate type: X.509
 - Got a certificate list of 3 certificates.
 - Certificate[0] info:
  - subject `C=US,ST=Massachusetts,L=Walpole,O=The Tor Project\, Inc.,CN=*.torproject.org', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3', RSA key 2048 bits, signed using RSA-SHA256, activated `2011-02-15 00:00:00 UTC', expires `2013-04-19 23:59:59 UTC', SHA-1 fingerprint `a7e70f8a648fe04a9677f13eedf6f91b5f7f2e25'
 - Certificate[1] info:
  - subject `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2007-04-03 00:00:00 UTC', expires `2022-04-03 00:00:00 UTC', SHA-1 fingerprint `a2e32a1a2e9fab6ead6b05f64ea0641339e10011'
 - Certificate[2] info:
  - subject `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA', issuer `C=US,O=Entrust.net,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Secure Server Certification Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2006-10-01 05:00:00 UTC', expires `2014-07-26 18:15:15 UTC', SHA-1 fingerprint `918da5e499c15f7c6275b124fede53357c34bd36'
- The hostname in the certificate matches 'www.torproject.org'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1016 bits
 - Peer's public key: 1019 bits
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

gnutls-cli www.torproject.org                                                                                                           
Resolving 'www.torproject.org'...
Connecting to '38.229.72.14:443'...
- Session ID: FE:5A:D0:67:F9:7C:2D:03:E8:F0:E2:35:38:2D:F4:D0:D9:32:F7:95:B1:D6:E6:2F:78:F2:2B:D8:64:EB:2E:D1
- Certificate type: X.509
 - Got a certificate list of 2 certificates.
 - Certificate[0] info:
  - subject `C=US,ST=Massachusetts,L=Walpole,O=The Tor Project\, Inc.,CN=*.torproject.org', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3', RSA key 2048 bits, signed using RSA-SHA256, activated `2011-02-15 00:00:00 UTC', expires `2013-04-19 23:59:59 UTC', SHA-1 fingerprint `a7e70f8a648fe04a9677f13eedf6f91b5f7f2e25'
 - Certificate[1] info:
  - subject `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2007-04-03 00:00:00 UTC', expires `2022-04-03 00:00:00 UTC', SHA-1 fingerprint `a2e32a1a2e9fab6ead6b05f64ea0641339e10011'
- The hostname in the certificate matches 'www.torproject.org'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1023 bits
 - Peer's public key: 1019 bits
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk