#9269 closed defect (fixed)
Webserver configuration is insufficient to allow for SSL certificate validation
| Reported by: | fercerpav@… | Owned by: | kaloz |
|---|---|---|---|
| Priority: | normal | Milestone: | Barrier Breaker 14.07 |
| Component: | website | Version: | Trunk |
| Keywords: | Cc: |
Description
I noticed your server certificate is issued by a commonly trusted
authority but in some circumstances clients still have difficulties
validating it.
The reason for that is that your certificate is issued by
"CN = Starfield Secure Certification Authority"
which is an intermediate certificate authority (issued by "OU =
Starfield Class 2 Certification Authority"). Debian's ca-certificates package
(ver. 20090814+nmu2) comes with
"OU = Starfield Class 2 Certification Authority"
which is considered to be trusted.
To allow an SSL/TLS client to validate all the chain up to a trusted
root CA, it should have all the certificates in the chain. With Apache
it's usually done with "SSLCertificateChainFile" option.
Manual testing is possible with:
openssl s_client -connect dev.openwrt.org:443 -CApath /etc/ssl/certs/
Attachments (0)
Change History (3)
comment:1 Changed 7 years ago by jow
- Owner set to kaloz
- Status changed from new to assigned
comment:2 Changed 7 years ago by kaloz
- Resolution set to fixed
- Status changed from assigned to closed
comment:3 Changed 4 years ago by jow
- Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07
Milestone Attitude Adjustment 12.09 deleted
should be fixed now