search

lichess-org / lila

♞ lichess.org: the forever free, adless and open source chess server ♞
https://lichess.org
GNU Affero General Public License v3.0
15.24k stars 2.24k forks source link

SSL issues on older browsers/OS #15325

Open SergioGlorias opened 4 months ago

SergioGlorias commented 4 months ago

Exact URL of where the bug happened

In Moment: lichess1.org (full domain) and cf-socket But in the future it could affect the entire domain.

Steps to reproduce the bug

  1. Use old browsers/OS off the list https://letsencrypt.org/docs/certificate-compatibility/#platforms-that-trust-isrg-root-x2 (ISRG Root X2)

What did you expect to happen?

Lichess work

What happened instead?

The domain lichess1.org is unable to connect due to SSL error

Operating system

Any system off the list https://letsencrypt.org/docs/certificate-compatibility/#platforms-that-trust-isrg-root-x2 (ISRG Root X2)

Browser and version (or alternate access method)

Any Browser off the list https://letsencrypt.org/docs/certificate-compatibility/#platforms-that-trust-isrg-root-x2 (ISRG Root X2)

Additional information

The domain lichess1.org uses Cloudflare proxies Since May 15th, Cloudflare has started using Let’s Encrypt's ISRG Root X2 certificates instead of ISRG Root X1 Which means that any navigation system that is older than those mentioned in the list will have problems using Lichess.org

NOTE: Androids with an earlier version 7.1.1 are also unable to use Lichess with ISRG Root X1 certificates (which is the current lichess.org), which in turn google had already postponed the problem and that date has passed.

SergioGlorias commented 4 months ago

image

benediktwerner commented 4 months ago

Have you tested this? Without lichess1.org, the whole site should be broken but I didn't notice any issues trying with iOS 14 in Browserstack. Checking the certificate chain with openssl, it looks like Cloudflare is using a cross-signed version of ISRG Root X2:

In addition, all platforms which trust ISRG Root X1 also trust the cross-signed version of ISRG Root X2.

Also would be surprised if Cloudflare would drop support for iOS 16 already.

Though ultimately, at some point older certificates expire anyways and there's nothing we can do against that. At some point, a device that doesn't receive any more updates becomes so outdated that it just can't be used anymore. Looks like ISRG Root X1 still has a decade left but we've already had this happen with the previous one a few years ago.

SergioGlorias commented 4 months ago

I haven't tested it directly, but I'm seeing who is having problems Regarding iOS 14, there may have been an application update to extend support As happened with Android 7 and below Which currently no longer trusts lichess.org's current SSL certificate

I could also ask about it being android 14+

In addition, the operating system's internal systems may no longer have the certificate, but application certificates do.

benediktwerner commented 4 months ago

Do you have any specific cases/versions that are having SSL issues? As mentioned, it looks like Cloudflare is using the cross-signed version of the X2 certificate which, according to the Let's Encrypt page you linked, works on all devices that trust X1.

Which makes sense, Android 14 only released last year, there's no way Cloudflare would already break that. Same for iOS 16 as already mentioned above.

As for devices that don't even trust X1, I'm not sure we can reasonably do much about that. The best option is probably to use something like Firefox which has its own trust store. But such devices must already be lacking years of security updates and probably shouldn't connect to the internet at all. Given how ubiquitous Let's Encrypt is, they probably also can't use most other websites either.