[squeak-dev] SSL/Socket error code interpretation
Tobias Pape
Das.Linux at gmx.de
Tue May 12 17:47:21 UTC 2020
> On 12.05.2020, at 19:34, tim Rowledge <tim at rowledge.org> wrote:
>
> Thank you *very* much to Tobias and Levente for explaining this. At least it isn't just something I screwed up, so that makes me feel a bit less stupid. The connection has been working ok until recently though, which I suspect means somebody has been Fiddling With The Server. Hands may get slapped.
>
> I thought I knew more about these certificate things than I ever wanted; now I know I know nothing. Which is *still* more than I ever wanted :-)
== If you control the server ==
Make sure to send a cert that includes the intermediate issuer, in this case
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
The cert chain via openssl s_client looks like this:
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=sagetea.ai
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
But should look like this:
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=sagetea.ai
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
(including the root cert "COMODO RSA Certification Authority" is _not_ recommended tho)
And then have the professionals check it:
https://www.ssllabs.com/ssltest/analyze.html?d=sagetea.ai&latest
Best regards
-Tobias
More information about the Squeak-dev
mailing list
|