Google Chrome doing something very weird with StartSSL certs

[jonnybarnes]

It's giving my site and sha{13}.com an orange icon on the padlock.

In both cases Chrome is telling me the intermediate cert is signed with SHA-1.

In both cases Firefox tells me the intermediate cert is signed with SHA-256.

Anyone any ideas?

EDIT: This is on mt Linux desktop, and Chromium works as expected, green padlock and telling me the intermediate cert is signed with SHA-256

[konklone]

I suspect it's this issue, or one like it:

https://code.google.com/p/chromium/issues/detail?id=473105

Though that particular issue affects only Windows computers, I've seen other cert-chain-selection bugs that end up preferring to draw from a local cache of SHA-1 intermediates than from the certificate presented by the server, thus causing the warning.

I'm going to close the issue here because there's nothing this project can do to simulate the condition, unless I were able to perform the entire process from inside the browser instead of on the server (which I don't think I can do).

In any case, I've been moving away from StartCom and towards SSLMate, which draws from upstream CAs that do not use the same cross-signing approach that StartCom does, and generally recommend it as a high quality certificate provider.

[jonnybarnes]

I’m getting a warning message on SSLLabs regarding the intermediate certificate actually: https://www.ssllabs.com/ssltest/analyze.html?d=jonnybarnes.uk

CRL ERROR: Processing failed: Read timed out [http://www.startssl.com/sfsca.crl]

[jonnybarnes]

Dunno if that has anything to do with it.

[konklone]

That's very strange, but looks like a fluke. I don't get that error for sha{13}. And when I re-run it for your site, the error disappears. Likely evidence of StartCom's CRL endpoint being flakey.

[jonnybarnes]

Right, got very confused about this, digging around I was linking to Mapbox’s JS and CSS. They were using a SHA-1 signed certificate. Serving the relevant files myself got me the green padlock back :)

Seems the CRL error was a red herring.

[pierky]

Just to add my experience about StartSSL SHA1 intermediate CA: http://blog.pierky.com/sha-1-sunset-valid-sha-2-chains-treated-as-insecure/

TL;DR: same intermediate CA with both SHA1 and SHA2, if SHA1 is in the Windows trust store it's the preferred one by Chrome.

[konklone]

@jonnybarnes For the record, now shaaaaaaaaaaaaa.com is getting hit with the same thing, since it's under StartSSL:

Seems like a good reminder to reissue under SSLMate!

[konklone]

Bing! Done:

[selecadm]

This issue can be solved server-side by replacing an intermediate.

@konklone, please try to use StartCom again, but with an intermediate provided below, not from StartCom official repository. AFAIR, you were using Class 2 cert, but I will post both 1 and 2.

Class 1

-----BEGIN CERTIFICATE----- MIIGNDCCBBygAwIBAgIBGTANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJJ TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20g Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDcxMDI0MjA1NDE3WhcNMTcx MDI0MjA1NDE3WjCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRl cm1lZGlhdGUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAtonGrO8JUngHrJJj0PREGBiEgFYfka7hh/oyULTTRwbw5gdfcA4Q 9x3AzhA2NIVaD5Ksg8asWFI/ujjo/OenJOJApgh2wJJuniptTT9uYSAK21ne 0n1jsz5G/vohURjXzTCm7QduO3CHtPn66+6CPAVvkvek3AowHpNz/gfK11+A nSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+vWjhwRRI/ME3NO68X5Q/LoKld SKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxDKslIDlc5xDEhyBDBLIf+ VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21TLwb0pwIDAQABo4IB rTCCAakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0O BBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaAFE4L7xqkQFul F2mHMMo0aEPQQa7yMGYGCCsGAQUFBwEBBFowWDAnBggrBgEFBQcwAYYbaHR0 cDovL29jc3Auc3RhcnRzc2wuY29tL2NhMC0GCCsGAQUFBzAChiFodHRwOi8v d3d3LnN0YXJ0c3NsLmNvbS9zZnNjYS5jcnQwWwYDVR0fBFQwUjAnoCWgI4Yh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMCegJaAjhiFodHRw Oi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwgYAGA1UdIAR5MHcwdQYL KwYBBAGBtTcBAgEwZjAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNz bC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFy dHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjANBgkqhkiG9w0BAQsFAAOCAgEA UiVivr7DGl0kxETnJMnlpLWn6AXQE+XSL2TdMkbS3wY40tqEo2O/MJ54cf1W QgZilw659qpXYmxMNX2VGo8rz2HxPcBMaU2mjRnVAyFXn2uLvTKUcBIu0Gs1 qA75FBUOYxKudcreUaeWD2LlPgtdMX48mEU1VmjtDAHs1X7/z5j6c75c2VZ6 9xx05z1MKm4+32xsntq3EdcmskUBc2VZNqs6iz1+cCBTQBdeP56f+1hFQ5Hi isQ8bDVdeENoFO99kHAAtjv4pkmj4BYqBUVWJy3VXxJcOk3QWyn5zwUps6EA JCAkY6u7rUiEhF4a3y7IV3llMx7V+lpkACGAKOlO2CVRohy+SDOiVGkzF+dz n+dx8Dzk+XX8ttFMh7G/IkbOBXLUOEuIDshnupkJZZdIFznMWAWN0iOj6qyb 3+FwZAA5AZua5nrZrLeqK8ssn8L5sFQOfO9mwcgszBLr63VfH+y4WqSDyVj9 mVv3yh6zTKYoXOMjH722m0oPwmgFsNLVrRSMtGt3Vvh0oSoDCjOi594tqTwa emktFyGcXud7db/MkwC2MU0DC1QZX3YQpjuP/keRY/U46/oOwaqI8JnhNd6x yn4H4ufzUAgl+Pu/aphb4RlClRuEL38a/Kq70wujW77vBXiEmjVOKnIkI2OE lZ/AyIQS/jZfAJX+NnYi6tU= -----END CERTIFICATE-----

Class 2

-----BEGIN CERTIFICATE----- MIIGNDCCBBygAwIBAgIBGzANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJJ TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20g Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDcxMDI0MjA1NzA5WhcNMTcx MDI0MjA1NzA5WjCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRl cm1lZGlhdGUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA4k85L6GMmoWtCA4IPlfyiAEhG5SpbOK426oZGEY6UqH1D/RujOqW jJaHeRNAUS8i8gyLhw9l33F0NENVsTUJm9m8H/rrQtCXQHK3Q5Y9upadXVAC HJuRjZzArNe7LxfXyz6CnXPrB0KSss1ks3RVG7RLhiEs93iHMuAW5Nq9TJXq pAp+tgoNLorPVavD5d1Bik7mb2VsskDPF125w2oLJxGEd2H2wnztwI14FBiZ gZl1Y7foU9O6YekO+qIw80aiuckfbIBaQKwn7UhHM7BUxkYa8zVhwQIpkFR+ ZE3EMFICgtffziFuGJHXuKuMJxe18KMBL47SLoc6PbQpZ4rEAwIDAQABo4IB rTCCAakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0O BBYEFBHbI0X9VMxqcW+EigPXvvcBLyaGMB8GA1UdIwQYMBaAFE4L7xqkQFul F2mHMMo0aEPQQa7yMGYGCCsGAQUFBwEBBFowWDAnBggrBgEFBQcwAYYbaHR0 cDovL29jc3Auc3RhcnRzc2wuY29tL2NhMC0GCCsGAQUFBzAChiFodHRwOi8v d3d3LnN0YXJ0c3NsLmNvbS9zZnNjYS5jcnQwWwYDVR0fBFQwUjAnoCWgI4Yh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMCegJaAjhiFodHRw Oi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwgYAGA1UdIAR5MHcwdQYL KwYBBAGBtTcBAgEwZjAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNz bC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFy dHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjANBgkqhkiG9w0BAQsFAAOCAgEA bQjxXHkqUPtUY+u8NEFcuKMDITfjvGklLgrTuBW63grW+2AuDAZRo/066eNH s6QV4i5e4ujwPSR2dgggY7mOIIBmiDm2QRjF5CROq6zDlIdqlsFZICkuONDN FpFjaPtZRTmuK1n6gywQgCNSIrbzjPcwR/jL/wowbfwC9yGme1EeZRqvWy/H zFWacs7UMmWlRk6DTmpfPOPMJo5AxyTZCiCYQQeksV7xUAeY0kWa+y/FV+ee rOPUl6yy4jRHTk7tCySxrciZwYbd6YNLmeIQoUAdRC3CH3nTB2/JYxltcgyG HMiPU3TtafZgLs8fvncv+wIF1YAF/OGqg8qmzoJ3ghM4upGdTMIu8vADdmuL C/+dnbzknxX6QEGlWA8zojLUxVhGNfIFoizu/V/DyvSvYuxzzIkPECK5gDoM oBTTMI/wnxXwulNPtfgF7/5AtDhA4GNAfB2SddxiNQAF7XkUHtMZ9ff3W6Xk FldOG+NlLFqsDBG/KLckyFK36gq+FqNFCbmtmtXBGB5L1fDIeYzcMKG6hFQx hHS0oqpdHhp2nWBfLlOnTNqIZNJzOH37OJE6Olk45LNFJtSrqIAZyCCfM6bQ goQvZuIaxs9SIp+63ZMk9TxEaQj/KteaOyfaPXI9778U7JElMTz3Bls62msl V2I1C/A73ZyqJZWQZ8NU4ds= -----END CERTIFICATE-----

[konklone]

@selecadm, I appreciate you helping us out on the thread with the correct intermediate certificates. But this isn't a very scalable way to fix the problem for people -- will StartSSL update its documentation to point to these at a canonical URL? In any case, I've moved on myself, for the time being anyway.

[pRiVi]

@selecadm: WTF, why does this shit work?

[selecadm]

@pRiVi some magic happens to Windows CryptoAPI making it prefer the server chain regardless of cache.

[selecadm]

@konklone, the service should probably give a red warning for sites with StartCom certificates, regardless of the server chain sent.

[konklone]

@selecadm There are a bunch of rough SHA-1 chain construction bugs, and it varies by OS too (Debian has it especially bad. It would be very challenging to simulate all the possibilities, and keep them up to date. It would also need to depend on the use of particular intermediate certificates, not a root CA broadly (even if in StartCom's case they may not have a viable solution for some people).

I don't like SHAAAAA being a less authoritative source than it could be, though I note that even SSL Labs doesn't seem to be simulating client-specific chain construction behavior. I'm open to proposals, but don't have a strong appetite for chasing user-client-specific behavior here.

[jonnybarnes]

Would sending the full certificate chain help prevent clients construct bad chains? Or is it better to save on bytes sent and omitting the root cert?

[selecadm]

@jonnybarnes sending the root is the proposed fix for Network Solutions SHA1 issue, since this CA is so dumb, even the roots trusted by Mozilla and Microsoft are two different roots.

StartCom SHA1 issue can be fixed by sending an intermediate published by me.

After I had successfully abused an unfortunate Chinese CA by obtaining a certificate for already known phishing domain (as per Netcraft), which root is also signed by StartCom as per cross-signing agreement, StartCom mistakenly revoked my certificates used for improving the state of HTTPS. Had to spend $100 on Comodo certs to mitigate this. 7 years ago this CA was abused by StartCom CEO by obtaining a certificate for the domain he didn't even own, but at least Comodo doesn't have SHA1 cache issue. I also got completely banned in the StartCom system (client authentication certificate revoked). Better switch certificates on other domains too.

You have been warned!

[pRiVi]

I still don't know what exaclty fixed my domains... Its your Intermediate, yes, but WHY?

[selecadm]

@pRiVi, the issue is probably a byproduct of creating new intermediates with longer validity (valid until 2022 instead of 2017). This took place in February 2015, sites configured after this are treated as weak/insecure by Chrome, depending on a server certificate notAfter value. Sites configured before February 2015 (those with an intermediate valid until 2017) are fine.

WIndows is a proprietary OS, and its CryptoAPI behaviour is incomprehensible to simple people like me, so no technical details, just stating the fact.

[konklone]

@selecadm I removed your comment, as its tone was unconstructively hostile (even if not to the individuals on this thread) and detracted from your technical comments. Feel free to re-post it with edits or otherwise continue the dialogue here, but please keep it civil and focused on solutions.

[selecadm]

@konklone thanks! You have done this for good actually. I have created a new account in StartCom system and got my previous Class 2 validation and certificates accessible again.

There are still security and trust problems with their current infrastructure and practices, though. Hope to encourage them fixing.

Anyway, will the software for fixing the issue client-side be useful? So that affected sites can provide it to their visitors. I've got a code signing certificate from Thawte, but I think it would be better to register a company with recognized name first. Also am not sure about SHA2 code signing compatibility.