[179100] in North American Network Operators' Group
Re: FIXED - Re: Broken SSL cert caused by router?
daemon@ATHENA.MIT.EDU (Doug Barton)
Sat Mar 28 15:32:08 2015
X-Original-To: nanog@nanog.org
Date: Sat, 28 Mar 2015 12:32:04 -0700
From: Doug Barton <dougb@dougbarton.us>
To: Mike <mike-nanog@tiedyenetworks.com>
In-Reply-To: <5516D152.4060707@tiedyenetworks.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--RqkVnnIKfPinMuAn7aNRCNVd6eqOWFl8H
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
On 3/28/15 9:05 AM, Mike wrote:
> I went back to Frank's list and did some additional testing. I have a
> different server which was set up the same way as the previous one
> discussed, and I thought I would use the above tools and see if my
> problem would have been identified by any of them. I am sorry to report=
,
> no, none of these either caught the problem either. Although I still do=
> not fully understand the dependencies involved, it seems that if my
> server was failing to supply the full certificate chain, and the browse=
r
> was compensating for it by (attempting?) to load the missing certificat=
e
> from elsewhere, and this Meraki router was somehow able to confound
> that process, that would be an issue worthy of exploring more. I
> certainly don't blame these ssl check sites but clearly theres more
> checks needed.
The Qualsys site (https://www.ssllabs.com/ssltest/analyze.html) will=20
report whether or not the server supplied the intermediate cert. But I=20
agree with you that the other tools should make a bigger deal about it=20
if the server doesn't supply it.
FWIW, it's been the CW to do this for some time now, as there are=20
systems like the one you've run into that were designed before=20
intermediate certs were commonplace, and don't know how to handle them.
I've also experienced situations where an enterprise purchases a DV=20
certificate to be used on an offline system, and while that system has=20
access to the "root" CA certs, it cannot retrieve the intermediate cert. =
Having the end system supply the intermediate cert as well solves this=20
issue.
The method of supplying the intermediate cert is simple, just append the =
intermediate certificate to the end of the file with your server=20
certificate (the .crt file). Any reasonably modern software will handle=20
that transparently, and provide the intermediate cert along with the=20
server cert when doing its business.
hope this helps,
Doug
--=20
I am conducting an experiment in the efficacy of PGP/MIME signatures.=20
This message should be signed. If it is not, or the signature does not=20
validate, please let me know how you received this message (direct, or=20
to a list) and the mail software you use. Thanks!
--RqkVnnIKfPinMuAn7aNRCNVd6eqOWFl8H
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVFwG1AAoJEFzGhvEaGryE6SoH/3r9bXPetYtAxItM3NRqzy8p
dHFIELDQP/L4yINWPucckEPtjRlsEzX/MIVxt7UY5O/Yfw5R348CjErynP2IuzHe
Y7KGiNHpAwtUMHzlFU/P8vT7O0h/Tl82KE2JhZDg+F1tL6xdEdPvqGTL4xp53PF1
QeOAguac7OfEnEhIGI/yL2F7GCLdLYQwgUBB0mIGll19IZ4BLnDE9Vi6kkxC22dw
RqudRNyIApkWdpmUZLR/jJRN/2aFPb4b0TKC/URfsyHstu03ph+Ae+cAPgXYGwtc
wYAxnmTUA/h5KA61lP/hVp0t1g6phqr03c6UKE8MFRyavRA3wsgmSPVjUz9LPmU=
=mWdD
-----END PGP SIGNATURE-----
--RqkVnnIKfPinMuAn7aNRCNVd6eqOWFl8H--
