SSL – Troubleshooting SSL Trust Chain Issues

ssl

The SSL cert for my site, https://www.snipsalonsoftware.com/, doesn't work on Android. In troubleshooting this problem I've plugged my site into the Qualys SSL Labs testing tool:

https://www.ssllabs.com/ssltest/analyze.html?d=www.snipsalonsoftware.com&s=50.57.181.104

This report seems to tell me that I have "chain issues". Something is "incomplete". But I'm having trouble understanding exactly what is incomplete.

In the next section, under "Certification Paths", I see in orange (and I'm guessing orange means "kinda bad") "Extra download". I have no idea what this means or how to fix it. I found this thread, but I can't tell how to translate what they're saying into a solution for me.

What should I do?

Best Answer

You have configured your server to only send the certificate to browsers. For most desktop browsers, this is fine because they already contain a whole lot of intermediate and root CA details, so they can construct the chain of trust easily. For most mobile browsers you generally need to provide the entire certificate chain, i.e. your own certificate, that of the issuing CA and any intermediates that might exist between that and the ultimate root CA. The mobile device will likely have the root CA details only in this scenario.

For you specific cert, you can read this Comodo helpdesk article: Knowledgebase : Comodo Certification Authority > Certificates > SSL > Certificate Installation

Related Solutions

AWS – How to Install Intermediate Certificates

concatenate the files provided manually, in the following order:

site.com.crt
intermediate.crt (one or more, the order of these doesn't matter)
ROOT.crt

you can do this from a shell with the cat command

cat site.com intermediate.crt ROOT.crt > site.chain.pem

or copy/paste them, no whitespace between, make sure certificates are on different lines

-----BEGIN CERTIFICATE-----
site cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediate cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
root cert
-----END CERTIFICATE-----

Ssl – What determines the combination of ciphers available on an SSL server

On all Windows 2008 R2 servers that I've seen ssl v2 has been enabled by default and I've had to go and disable it myself. Doing so (disabling it) hasn't seemed to break IE6... obviously the machine has been hardened by someone

Qualys has a very decent online SSL scanner that will tell you exactly what protocols and even cipher suites you have enabled, and if there are any other cert errors and what renegotiation is allowed - https://www.ssllabs.com/ssltest/ - perhaps an overly limited combination of ciphers and protocols has been chosen.

When you say it fails - what do you mean? That there is a certificate error? Is the root CA trusted on the older client machines?

It is possible in IE to disable SSL v3 and other protocols, on those machines throwing errors, check in Tools / Internet Options / Advanced tab and see if SSL 3 and TLS 1 is checked.

Check the values of the following reg keys

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\DisableRenegoOnClient
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\DisableRenegoOnServer

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\AllowInsecureRenegoClients
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\AllowInsecureRenegoServers

see http://support.microsoft.com/kb/977377 and http://support.microsoft.com/kb/980436

Best Answer

Related Solutions

AWS – How to Install Intermediate Certificates

Ssl – What determines the combination of ciphers available on an SSL server

Related Topic