Unable to prove HTTPS (possibly due to cypher suite issues)

[Burnus]

Hi,

The keybase daemon currently reports my HTTPS prove to be broken. I am however able to obtain and verify it by following the link for the HTTP prove (http://burnus.net/keybase.txt), or using https:// respectively, and piping the result into keybase verify. My guess is that the issue has to do with the fact that my server only accepts a few carefully selected HTTPS cypher suites (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)), which are not yet supported by all the SSL libraries. Can you please elaborate on which cypher suites you support on your end?

Thanks.

[maxtaco]

I don't think the issue is related to your choice of cipher, as we support those ciphers.

I think the issue is that your proof file says the proof is for http and not https (look at the JSON to see this). You can use the same file to serve both proofs, just concat the two proofs together. I've included your original https proof below. Let me know when you've done this, and I'll tell our proof checker to retry.

==================================================================
https://keybase.io/burnus
--------------------------------------------------------------------

I hereby claim:

  * I am an admin of https://burnus.net
  * I am burnus (https://keybase.io/burnus) on keybase.
  * I have a public key with fingerprint 9F81 C67A 8700 5B6A 6747  7126 F7B0 C432 2B4C FCBE

To claim this, I am signing this object:

{
    "body": {
        "key": {
            "fingerprint": "9f81c67a87005b6a67477126f7b0c4322b4cfcbe",
            "host": "keybase.io",
            "key_id": "f7b0c4322b4cfcbe",
            "uid": "4792ada869f955262dd24d080cd52100",
            "username": "burnus"
        },
        "service": {
            "hostname": "burnus.net",
            "protocol": "https:"
        },
        "type": "web_service_binding",
        "version": 1
    },
    "ctime": 1397464347,
    "expire_in": 157680000,
    "prev": "5b11f311f49bb8e656fab05076e65ed903a2a07b3229273622f54a88240922ce",
    "seqno": 3,
    "tag": "signature"
}

with the aforementioned key, yielding the PGP signature:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

owGbwMvMwMQoIBvgyvXeWYTx9IH3SQzB3nMNqpWS8lMqlayqlbJTwVRaZl56alFB
UWZeiZKVkmWahWGymXmihbmBgWmSWaKZuYm5uaGRWZp5kkGyibGRUZJJclpyUqqS
jlJGfjFIB9CYpMTiVL3MfKAYkBOfmQIUxaK+FCxhYm5plJiSaGFmmWZpampkZpSS
YmSSYmBhkJxiamRoYABSWJxalJeYmwpUnVRalFdarFSrowQUK8tMTgW5GGQxirxe
XmoJUF9BUX5JfnJ+DlA8o6SkoNgKpK+ksgCksDw1KR5qRHxSZl4K0NNAHWWpRcWZ
+XlKVoZAlcklmSAzDY0tzU3MTIxNzHWUUisKMotS4zNBKkzNzSwMgABkT2oZ0EjT
JEPDNGMgNrFMSrJINTM1S0tMMjA1MDcDslNTLA2ME40SDcyTgIFgaWRubGZklGZq
kmhhYWRiYGlklAwKkuLUwrx8JStjoDMT04FGFmem5yWWlBalKtVydTLJsDAwMjGw
sTKB4o2Bi1MAFpu7TvL/4VqambDEYAPfhEJmHiWWjmlRjx73NDkuZT16zmlp0ot5
0nzGGi2hqu9Enu/4IVxQoXiFY8HCCJs7Z9rk7n/7eorddy77B8f72hHydh3WfQoa
j+M+Jm+ovp6Vuf6z2YUr1oy/rpUe081+t+10q98LIae8CWeOmbbwWylyP3rK/HNO
SoGq7aLVLS9USlNiJzTO+XZmobX5tSSFG1bZyanhd8rzv0VkVj0vP8RdeouzNEZt
/f3itftPP/jCn3/Ue1XVq7RDu428vxc8bbZkejFh01r9Nfe1gqzLJQ7NnxJvt19w
oewuMeXshvtTChtX57hdygrJdali+m3xLIwv91Wh0QVty4nW6SIWXStc+9cLPZlz
O1JwmxLzB3vbe0tbnho4RHz/Vqfn/P33Ps/IuSzzbafuz908izMiYWXaqiyDvFlb
HtxUZvvOcsjlZX5O5l5nthdWe2YHLV+tZ7C7/xPXqaMPmBb7fwnnOZd5wk9hyZR5
9cwhjhsquC8XPXqz6Nx+/2Wu6aoeu2UsH+gcSnug9TH46rlvvLdS7szV4fle7K46
L0Lt8aNvLK1bKt4d2jy5b2d6eoN7wr+5Zzcp6E5z+jbl5sr5y45MVJgq+v2Th9KZ
2qXvM6f93H1W6Q7Dgvw467iZH+TXZL8N1W3iuyu/J2mmo9vqNy8EjXS/XX/1V/+j
SOmV5VtzVVLnxzFuPNzipLT7/2P3jb6Mpq8XWwMA
=xe7M
-----END PGP MESSAGE-----

And finally, I am proving ownership of this host by posting or
appending to this document.

View my publicly-auditable identity here: https://keybase.io/burnus

==================================================================

[wyllys66]

I have the same issue. My proof is posted and available at https://ipgmail.com/keybase.txt, but the verification keeps failing and Im not sure how to fix it:

==================================================================
https://keybase.io/wyllys
--------------------------------------------------------------------

I hereby claim:

  * I am an admin of https://ipgmail.com
  * I am wyllys (https://keybase.io/wyllys) on keybase.
  * I have a public key with fingerprint A5D0 EFBC 4A52 B587 E68A  2451 7FEA 1CCB 47E3 234C

To claim this, I am signing this object:

{
    "body": {
        "key": {
            "fingerprint": "a5d0efbc4a52b587e68a24517fea1ccb47e3234c",
            "host": "keybase.io",
            "key_id": "7fea1ccb47e3234c",
            "uid": "0e021373e98cb7ebb649c35f79a25900",
            "username": "wyllys"
        },
        "service": {
            "hostname": "ipgmail.com",
            "protocol": "https:"
        },
        "type": "web_service_binding",
        "version": 1
    },
    "ctime": 1403376746,
    "expire_in": 157680000,
    "prev": "dd02e21119927ab0d913322f00c97e7e66a59af18503c0df09e99f8f56ddbf07",
    "seqno": 13,
    "tag": "signature"
}

with the aforementioned key, yielding the PGP signature:

-----BEGIN PGP MESSAGE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

owFtkV1IFFEUx3fUNEUhrDclZCzWZLM7XzszK2SI5a7RF2J+hG7zcWd3andnnR0/
Fj9CJEEr8k1WzDcJyyKjVLKifMjIQAsNAsuUyozQde0hiqg7Ym/dl8s95///nXPu
6U6Lx+Kw2Or8yOydwm5s6knMsJQOzE434aImh3FHE34ebl6KGvBAPairAQN34AIj
A6iIEi0wpMhwLLRzAkkzBKtAgZAkkWYhRVK0hNtwrxYyHQgjCiGYp2oohh5uVUbR
/+jrNhMAApKgWArynCSyUBTtNC9RjMLyAsnwAJjCENQDgh8idUPY5wuH8BYbjmL1
qgTNjs3CW3k16PELqi9P0vzIGNQ1Q5M0H0p4DSMYcphGIxzcJEHRvcVwi2pARlMj
Rz3UQ6oWwB0EUkqGakIJGlAUa2dpuw2HjUFVh27VVDCsnQPomHVgPULKMiAhSRAE
z5OsIAKZJyiKJBUAJJ6F6OvsAsMLCsExgJKArAAe8rzCKYxdlkUFsLg5VW1AQ2wK
9Sl4EDOkegKCUadDvCUtpRPLTMCwOEvitjhzdZaU5B3/Flq5uN1yM9rxPr798ehK
4vzTyav6ZGT55Jjj3Ngl7JHiOnZ5b1XNcafzw0buQBExnT1TUHXAf6VmqVUqc93L
yX/h6Lox9Fzk5hJ3VfxJHg9/P33mwtxKuXfZumpbzGx29lQXL3niHcWV3po167X0
1Nm6LOvAYNbUxW8/MnKc1onh9tZ0QJ5NqvjV2OaJWIqq16P9hUddo4ci4y56f0fB
w4R9E68tzbnl1fh8H9F/a+dIc2/qwoOS3ti72x+7MmJzZcO1C8zhI8HJg6W/I/eH
SiyfhZngV64z9/qpLhHbU7aWnf+l7U3SiZcN+LN1cX/U81NsVfjdfRvRvryet58G
E+VXd/8C
=ZEOn
-----END PGP MESSAGE-----

And finally, I am proving ownership of this host by posting or
appending to this document.

View my publicly-auditable identity here: https://keybase.io/wyllys

==================================================================

[malgorithms]

@maxtaco - could this be because the server is replying that /.well-known/keybase.txt is forbidden, rather than 404'ing? So it's failing on that instead of getting to keybase.txt?

[maxtaco]

No, I don't think that should be an issue.

[wyllys66]

Does your proof verification script handle redirects? If you hit my site wth 'http' it redirects (302) to https://....

[maxtaco]

@wyllys66 in your case it's a certificate problem, I'm guessing. If I open the link in FF, I get an HTTPS warning.

[wyllys66]

Its a valid cert, not self-signed. Firefox is being a little overly sensitive, perhaps they don't have my root CA in their built in cache. I have no issues with Chrome or Safari, though.

[maxtaco]

Agreed, I didn't have any problems with Chrome or Safari either. But our checker is from Node.js which takes its CA list from the Firefox repo, so that's why your proof is failing.

Maybe you need to include intermediate certificates?

[wyllys66]

I think it does...

Try this: openssl s_client -showcerts -connect ipgmail.com:443

[maxtaco]

This is the list we get from node: https://github.com/joyent/node/blob/v0.10.28-release/src/node_root_certs.h

[wyllys66]

Here is the root CA cert that I got with my certificates. I do admit, I went with a cheap cert service (namecheap.com)

-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----

[timbray]

Possibly related: Check out https://www.ssllabs.com/ssltest/analyze.html?d=keybase.io&s=54.84.133.185 This is why running Java clients from the command line doesn’t work with keybase.io

[maxtaco]

@timbray what should i be looking for in that report --- lack of session resumption?

[timbray]

Dunno, I’m kind of a TLS moron. But the problem that was breaking Java was a cypher-suite mismatch.

[maxtaco]

Oh, burn. If there's any debug output I can work with, let me know, I'll take a look.

[maxtaco]

@wyllys66 have you tried the advice on this page: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/683/17/firefox-error-code-sec_error_unknown_issuer

[wyllys66]

I'll follow up with my hosting provider. They did the install (for a fee, of course) for me.

[maxtaco]

Yeah, I think they left out the intermediate cert. Cheers.