| 1 |
I'm having trouble with my bank site. The login page gives me an SSL |
| 2 |
failed warning in both Konqueror (for about a month) and now Firefox as |
| 3 |
well. I don't seem to see any relevant Gentoo bugs on this yet, but |
| 4 |
would like to confirm it's not a MitM attack before I file one. It |
| 5 |
doesn't seem to happen at other SSL sites, so it doesn't appear to be a |
| 6 |
general SSL error, tho it might be one with that particular type of |
| 7 |
certificate. |
| 8 |
|
| 9 |
The site (login isn't necessary, the error comes on the initial connect): |
| 10 |
|
| 11 |
https://onlineid.bankofamerica.com/cgi-bin/sso.login.controller?state=AZ |
| 12 |
|
| 13 |
Konqueror 3.5.7's error: |
| 14 |
|
| 15 |
The server failed the authenticity test (<site domain>). |
| 16 |
|
| 17 |
Details gives me this: |
| 18 |
|
| 19 |
Certificate signing authority is unknown or invalid. |
| 20 |
|
| 21 |
The issuer appears to be VeriSign, Inc. Common name: VeriSign Class 3 |
| 22 |
Secure Server CA. The certificate is fairly new, valid from Monday, 20 |
| 23 |
August 2007, 00:00:00 GMT. |
| 24 |
|
| 25 |
In case anyone wishes to verify the specifics, Konqueror lists the serial |
| 26 |
number as (spaces added for readability) 1100 7197 7289 5102 6319 8066 |
| 27 |
3729 4699 1776 610, MD5 digest as |
| 28 |
9B:B9:DB:12:3D:B6:99:19:B1:99:6E:1C:9F:CE:7C:E5, Cypher RC4-SHA, SSL |
| 29 |
version TLSv1/SSLv3, 128-bit used of 128 bit cipher. |
| 30 |
|
| 31 |
I thought it was just Konqueror strangeness until Firefox (which worked |
| 32 |
at first, after Konqueror quit) started protesting as well. |
| 33 |
|
| 34 |
Firefox: |
| 35 |
|
| 36 |
Unable to verifiy the identity of <site> as a trusted site. Possible |
| 37 |
reasons for this error [etc...] |
| 38 |
|
| 39 |
Examine Certificate lists similar details: |
| 40 |
|
| 41 |
Serial in hex this time as: |
| 42 |
52:CF:17:7A:4E:1C:0C:E4:7B:A6:3C:E0:0B:DC:03:62 |
| 43 |
|
| 44 |
MD5 fingerprint the same, same issuer, VeriSign Class 3 Secure Server CA, |
| 45 |
etc, so it appears to be the same cert, with the same problem. |
| 46 |
|
| 47 |
So what's up? Anyone else having problems? You should be able to check |
| 48 |
the SSL even without a login. They do seem to be only with the latest |
| 49 |
version, at least of Firefox, since I didn't have issues with it until I |
| 50 |
updated just a couple days ago. |
| 51 |
|
| 52 |
Again, most secure sites work just fine, but it could still be one of the |
| 53 |
SSL libraries. |
| 54 |
|
| 55 |
BTW, I have bills coming due that it'd be nice to be able to pay, so it'd |
| 56 |
in turn be nice to at least get a confirmation from others that the |
| 57 |
cert's not compromised. I can (well, should be able to, I've not |
| 58 |
actually tried, but I get the option presented) still accept it manually |
| 59 |
once I'm sure it's not a MitM attack. |
| 60 |
|
| 61 |
-- |
| 62 |
Duncan - List replies preferred. No HTML msgs. |
| 63 |
"Every nonfree program has a lord, a master -- |
| 64 |
and if you use the program, he is your master." Richard Stallman |
| 65 |
|
| 66 |
-- |
| 67 |
gentoo-desktop@g.o mailing list |
Archives