search

FriendlyCaptcha / friendly-pow

The PoW challenge library used by Friendly Captcha
202 stars 20 forks source link

SSL certificate #4

Closed sachbearbeiter closed 3 years ago

sachbearbeiter commented 3 years ago

Hello,

our developer says during the implementation of FriendlyCaptcha: "docs.friendlycaptcha.com site has a GOOD SSL certificate, but friendlycaptcha.com has a different, not so good SSL certificate."

So he get's in trouble with the security settings in Webkit based browsers (in his case: Iron). Can you reproduce this?

Thanks and best regards SB

sachbearbeiter commented 3 years ago

Last feedback: "Firefox says no problem, and reports that its connection is TLS 1.2. I do not understand why Iron will not even display the friendlycaptcha.com page, but displays docs.friendlycaptcha.com without any problem." So maybe it's Iron or somewhat our problem ...

dev-love commented 3 years ago

Hi! My SSL Checker shows me that everything seems to be fine: https://www.geocerts.com/ssl-checker Tried to reproduce your issue with Chrome, but it seems to be working. Could your developer give us some more info on what warning message he/she is getting? Best wishes, dev-love

sachbearbeiter commented 3 years ago

Hi! another feedback (thanks for the reply and all the best for you):

"The problem is not with the certificate, but with the protocols used by the server. Both friendlycaptcha.com and docs.friendlycaptcha use the same certificate (I think), but docs.friendlycaptcha has no protocol problems, and friendlycaptcha has protocol problems.

Please use https://www.ssllabs.com/ssltest/index.html to check both these sites. Enter docs.friendlycaptcha.com, wait until it finishes, and then you will see 4 IP addresses listed, and all 4 will show grade A (best).

Then do another scan, enter friendlycaptcha.com, wait until it finishes, and then you will see (around) 6 IP addresses, and all will show grade B. If you click one IP address, scroll down to "Handshake Simulation", and you will see some devices have this message: "Server sent fatal alert: handshake_failure".

You can set Minimum TLS version in the Cloudflare Dashboard’s SSL/TLS section, setting it to 1.2 would solve the protocol problems and ssllabs should show grade A (after clearing its cache)."

dev-love commented 3 years ago

Thanks a lot for your explanation! Minimum TLS version is set to 1.2 and we are now getting grade A 👍 Is it working for you as well?

sachbearbeiter commented 3 years ago

Also thanks a lot! I'll give you an update in the next days ...

sachbearbeiter commented 3 years ago

"Thank you for changing the setting, it is working better now."

👍