1 |
I'm having trouble with my bank site. The login page gives me an SSL |
2 |
failed warning in both Konqueror (for about a month) and now Firefox as |
3 |
well. I don't seem to see any relevant Gentoo bugs on this yet, but |
4 |
would like to confirm it's not a MitM attack before I file one. It |
5 |
doesn't seem to happen at other SSL sites, so it doesn't appear to be a |
6 |
general SSL error, tho it might be one with that particular type of |
7 |
certificate. |
8 |
|
9 |
The site (login isn't necessary, the error comes on the initial connect): |
10 |
|
11 |
https://onlineid.bankofamerica.com/cgi-bin/sso.login.controller?state=AZ |
12 |
|
13 |
Konqueror 3.5.7's error: |
14 |
|
15 |
The server failed the authenticity test (<site domain>). |
16 |
|
17 |
Details gives me this: |
18 |
|
19 |
Certificate signing authority is unknown or invalid. |
20 |
|
21 |
The issuer appears to be VeriSign, Inc. Common name: VeriSign Class 3 |
22 |
Secure Server CA. The certificate is fairly new, valid from Monday, 20 |
23 |
August 2007, 00:00:00 GMT. |
24 |
|
25 |
In case anyone wishes to verify the specifics, Konqueror lists the serial |
26 |
number as (spaces added for readability) 1100 7197 7289 5102 6319 8066 |
27 |
3729 4699 1776 610, MD5 digest as |
28 |
9B:B9:DB:12:3D:B6:99:19:B1:99:6E:1C:9F:CE:7C:E5, Cypher RC4-SHA, SSL |
29 |
version TLSv1/SSLv3, 128-bit used of 128 bit cipher. |
30 |
|
31 |
I thought it was just Konqueror strangeness until Firefox (which worked |
32 |
at first, after Konqueror quit) started protesting as well. |
33 |
|
34 |
Firefox: |
35 |
|
36 |
Unable to verifiy the identity of <site> as a trusted site. Possible |
37 |
reasons for this error [etc...] |
38 |
|
39 |
Examine Certificate lists similar details: |
40 |
|
41 |
Serial in hex this time as: |
42 |
52:CF:17:7A:4E:1C:0C:E4:7B:A6:3C:E0:0B:DC:03:62 |
43 |
|
44 |
MD5 fingerprint the same, same issuer, VeriSign Class 3 Secure Server CA, |
45 |
etc, so it appears to be the same cert, with the same problem. |
46 |
|
47 |
So what's up? Anyone else having problems? You should be able to check |
48 |
the SSL even without a login. They do seem to be only with the latest |
49 |
version, at least of Firefox, since I didn't have issues with it until I |
50 |
updated just a couple days ago. |
51 |
|
52 |
Again, most secure sites work just fine, but it could still be one of the |
53 |
SSL libraries. |
54 |
|
55 |
BTW, I have bills coming due that it'd be nice to be able to pay, so it'd |
56 |
in turn be nice to at least get a confirmation from others that the |
57 |
cert's not compromised. I can (well, should be able to, I've not |
58 |
actually tried, but I get the option presented) still accept it manually |
59 |
once I'm sure it's not a MitM attack. |
60 |
|
61 |
-- |
62 |
Duncan - List replies preferred. No HTML msgs. |
63 |
"Every nonfree program has a lord, a master -- |
64 |
and if you use the program, he is your master." Richard Stallman |
65 |
|
66 |
-- |
67 |
gentoo-desktop@g.o mailing list |