• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Certificate for forums.freebsd.org changed?

getopt

Well-Known Member

Thanks: 294
Messages: 494

#1
Can someone verify the fingerprint of the new certificate for forums.freebsd.org, please?
Certificate issued by Gandi Standard SSL CA 2
Code:
SHA-256 D9:2B:B8:10:0B:AD:C8:EF:6B:15:E7:43:2E:56:58:70:CD:42:3D:95:1B:68:56:FF:36:30:12:DE:44:7D:C8:BA
And it would be nice to be informed when such events take place.
Is there a link where one can verify it?
 

drhowarddrfine

Daemon

Thanks: 628
Messages: 2,384

#2
I don't understand the problem. Sites change and update certs all the time, especially now that Google, and others, are deprecating and obsoleting some algorithms.

Did you get a browser error?
 

hukadan

Active Member

Thanks: 140
Messages: 235

#3
Personally I got one this morning.

-- Edit --
And still have as shown by this image.

-- Edit 2 --
Can it come from the recent update of security/ca_root_nss ? (meaning I have the old one and may need the new one)
 

Attachments

kpa

Beastie's Twin

Thanks: 1,673
Messages: 6,084

#6
I didn't see a thing and that's probably because my browser (chrome on OS X) works correctly and doesn't make a fuss about changed but yet completely valid certificate.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,476
Messages: 25,636

#7
When you get a warning from your browser regarding a certificate that nasty things might going on, do you always just click OK blindly?
What purpose do fingerprints have?
What's a fingerprint worth, when you cannot verify it?
There's no need to verify the certificate because it's been signed by a trusted CA and verification is done automatically. The only reason you get the warning is when your browser doesn't trust this CA and therefore cannot validate it.
 

JamesElstone

Active Member

Thanks: 22
Messages: 102

#8
Hi All,

What is going on with the Forums SSL certificate then?
  • On FreeBSD v10.1-p9 (using Midori), the signing certificate authority is not known (can't view),
  • On Android (4.4.2) I get NET::ERR_CERT_AUTHORITY_INVALID, and
  • On MS Windows (with recent updates now applied) I don't get an issue and the keychain looks valid!?
If you give the SSL cert a quick rollover in a SSL analyser, the issue seems to be that the Gandi Standard SSL CA 2 certification chain is not valid to a root CA:
https://www.ssllabs.com/ssltest/analyze.html?d=forums.freebsd.org&hideResults=on

Seems looking at Gandi's website, they have a known issue where by intermediate sub-CA authority SHA2 certificates need to be installed on the webserver as well as the signing cert:
http://wiki.gandi.net/en/ssl/intermediate

Who should this be raised to get fixed?

Kr,

James
 

jrm@

Daemon
Developer

Thanks: 438
Messages: 1,157

#9
I didn't see a thing and that's probably because my browser (chrome on OS X) works correctly and doesn't make a fuss about changed but yet completely valid certificate.
Chrome's behaviour across platforms is apparently inconsistent. Below is what the latest Chrome (with default security settings) decides to do on Android.
 

kpa

Beastie's Twin

Thanks: 1,673
Messages: 6,084

#10
Chrome's behaviour across platforms is apparently not consistent. Below is what the latest Chrome (with default security settings) decides to do on Android.
My guess it depends on the pre-loaded certificates that come with the OS, chrome on OS X uses what Apple has put in the system keychain.
 

hukadan

Active Member

Thanks: 140
Messages: 235

#15
Works fine for me too with Firefox on FreeBSD 10.1-RELEASE-p9. Thanks !
 

brd@

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 89
Messages: 297

#17
Sorry about that folks, I just verified it worked in one browser.. Will check with SSLLabs in the future to make sure things are 100%.