nanog mailing list archives
Re: FIXED - Re: Broken SSL cert caused by router?
From: Doug Barton <dougb () dougbarton us>
Date: Sat, 28 Mar 2015 12:32:04 -0700
On 3/28/15 9:05 AM, Mike wrote:
I went back to Frank's list and did some additional testing. I have a different server which was set up the same way as the previous one discussed, and I thought I would use the above tools and see if my problem would have been identified by any of them. I am sorry to report, no, none of these either caught the problem either. Although I still do not fully understand the dependencies involved, it seems that if my server was failing to supply the full certificate chain, and the browser was compensating for it by (attempting?) to load the missing certificate from elsewhere, and this Meraki router was somehow able to confound that process, that would be an issue worthy of exploring more. I certainly don't blame these ssl check sites but clearly theres more checks needed.
The Qualsys site (https://www.ssllabs.com/ssltest/analyze.html) will report whether or not the server supplied the intermediate cert. But I agree with you that the other tools should make a bigger deal about it if the server doesn't supply it.
FWIW, it's been the CW to do this for some time now, as there are systems like the one you've run into that were designed before intermediate certs were commonplace, and don't know how to handle them.
I've also experienced situations where an enterprise purchases a DV certificate to be used on an offline system, and while that system has access to the "root" CA certs, it cannot retrieve the intermediate cert. Having the end system supply the intermediate cert as well solves this issue.
The method of supplying the intermediate cert is simple, just append the intermediate certificate to the end of the file with your server certificate (the .crt file). Any reasonably modern software will handle that transparently, and provide the intermediate cert along with the server cert when doing its business.
hope this helps, Doug --I am conducting an experiment in the efficacy of PGP/MIME signatures. This message should be signed. If it is not, or the signature does not validate, please let me know how you received this message (direct, or to a list) and the mail software you use. Thanks!
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: Broken SSL cert caused by router?, (continued)
- Re: Broken SSL cert caused by router? Joe (Mar 26)
- Re: Broken SSL cert caused by router? Eygene Ryabinkin (Mar 26)
- Re: Broken SSL cert caused by router? Lewis,Mitchell T. (Mar 26)
- FIXED - Re: Broken SSL cert caused by router? Mike (Mar 27)
- Re: FIXED - Re: Broken SSL cert caused by router? Josh Luthman (Mar 27)
- Re: FIXED - Re: Broken SSL cert caused by router? Mike (Mar 27)
- Re: FIXED - Re: Broken SSL cert caused by router? ML (Mar 27)
- Re: FIXED - Re: Broken SSL cert caused by router? Josh Luthman (Mar 27)
- FIXED - Re: Broken SSL cert caused by router? Mike (Mar 27)
- RE: FIXED - Re: Broken SSL cert caused by router? Frank Bulk (Mar 27)
- Re: FIXED - Re: Broken SSL cert caused by router? Mike (Mar 28)
- Re: FIXED - Re: Broken SSL cert caused by router? Doug Barton (Mar 28)
- Re: FIXED - Re: Broken SSL cert caused by router? Matt Palmer (Mar 28)
- Re: FIXED - Re: Broken SSL cert caused by router? Mike (Mar 29)
- Re: FIXED - Re: Broken SSL cert caused by router? Michael Brown (Mar 29)
- Re: FIXED - Re: Broken SSL cert caused by router? John Levine (Mar 29)
- Re: FIXED - Re: Broken SSL cert caused by router? Tom Taylor (Mar 30)