search

bcgov / entity

ServiceBC Registry Team working on Legal Entities
Apache License 2.0
23 stars 58 forks source link

FireFox Warning: Potential Security Risk Ahead #2198

Closed rstens closed 4 years ago

rstens commented 4 years ago

Describe the bug Firefox does not trust dev.bcregistry.ca because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.

The Certificateseems to be valid and correct

To Reproduce Steps to reproduce the behavior:

  1. Open FireFox
  2. Go to https://dev.bcregistry.ca/cooperatives/auth/'
  3. See error

Expected behavior No Error, functionality is now blocked.

Screenshots image.png

Desktop (please complete the following information):

thorwolpert commented 4 years ago

@rstens seems to be fine under Chrome. It looks like the certificate chain is loaded correctly.

image

thorwolpert commented 4 years ago

An overall grading of a C. That's not great by any measure. SSL_Server_Test_dev.bcregistry.ca.pdf

Kaineatthelab commented 4 years ago

Priority 1 bug.

Sent from my iPhone

On Dec 19, 2019, at 8:20 PM, thor notifications@github.com<mailto:notifications@github.com> wrote:

Assigned #2198https://github.com/bcgov/entity/issues/2198 to @Kaineatthelabhttps://github.com/Kaineatthelab.

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHubhttps://github.com/bcgov/entity/issues/2198?email_source=notifications&email_token=AIRHOIMFEMOITFKXGEH3PFLQZRB2DA5CNFSM4J5UHDM2YY3PNVWWK3TUL52HS4DFWZEXG43VMVCXMZLOORHG65DJMZUWGYLUNFXW5KTDN5WW2ZLOORPWSZGOVTJSHVQ#event-2899518422, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIRHOILSYNSMKZH3IK7QCG3QZRB2DANCNFSM4J5UHDMQ.

rstens commented 4 years ago

Is there a correlation with the TLS 1.0 version still being the only supported one?

WalterMoar commented 4 years ago

WAM has five tickets open for this, due to the variety of applications behind *.bcregistry.ca. To make it easier on WAM we're closing ours and letting Dave McKinnon deal with it, since he has the oldest servers hosting the highest profile applications.

Yes, it's due to both the TLS version, as well as the cipher suite in use). Chrome 81 (March 17) will not allow access to TLS1.0 and TLS1.1 sites. Likewise Firefox 74 (March 10).

severinbeauvais commented 4 years ago

See also #1487.

Closing this ticket per Walter's note above.