[squeak-dev] SSL/Socket error code interpretation

Tobias Pape Das.Linux at gmx.de
Tue May 12 17:47:21 UTC 2020


> On 12.05.2020, at 19:34, tim Rowledge <tim at rowledge.org> wrote:
> 
> Thank you *very* much to Tobias and Levente for explaining this. At least it isn't just something I screwed up, so that makes me feel a bit less stupid. The connection has been working ok until recently though, which I suspect means somebody has been Fiddling With The Server. Hands may get slapped.
> 
> I thought I knew more about these certificate things than I ever wanted; now I know I know nothing. Which is *still* more than I ever wanted :-)

== If you control the server ==

Make sure to send a cert that includes the intermediate issuer, in this case
	/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

The cert chain via openssl s_client looks like this:

Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=sagetea.ai
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA


But should look like this:

Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=sagetea.ai
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority

(including the root cert "COMODO RSA Certification Authority" is _not_ recommended tho)

And then have the professionals check it:
	https://www.ssllabs.com/ssltest/analyze.html?d=sagetea.ai&latest


Best regards
	-Tobias


More information about the Squeak-dev mailing list