Opened 6 years ago

Closed 5 years ago

#794 closed defect (fixed)

Set up SSL certs from a "legitimate" CA

Reported by: dg Owned by: welterde
Priority: major Milestone:
Component: www/i2p Version:
Keywords: Cc: luminosus@…
Parent Tickets:

Description

SSL on the websites is important, IMHO.
Having users get MITM'd isn't great, and whilst CACert is trusted by some browsers and is valid for say, a lot of Linux users -- it's useless for Windows etc users who are trying to get i2p securely.
There's flaws with HTTPS, we all know this but a legitimate CA's cert would be better than none/invalid.

Subtickets

Attachments (1)

nottrusted.png (80.2 KB) - added by killyourtv 5 years ago.

Download all attachments as: .zip

Change History (17)

comment:1 Changed 6 years ago by dg

  • Owner set to welterde
  • Status changed from new to assigned

comment:2 Changed 6 years ago by luminosus

  • Cc luminosus@… added

I'd also like to bring to your attention, in case of you haven't heard of it already, the HSTS [0] standard which is a lot safer than a simple redirect from http to https.

Thank you,

[0] https://tools.ietf.org/html/rfc6797

comment:3 follow-up: Changed 6 years ago by str4d

  • Milestone changed from 0.9.4 to 0.9.6
  • Summary changed from SSL to Set up SSL certs from a "legitimate" CA

This has been completed, no? I see an SSL cert from Comodo on https://www.i2p2.de (though my TorBrowser? does not recognize the CA and says it is invalid).

comment:4 in reply to: ↑ 3 Changed 6 years ago by guest

Replying to str4d:

This has been completed, no? I see an SSL cert from Comodo on https://www.i2p2.de (though my TorBrowser? does not recognize the CA and says it is invalid).

Tor Browser Bundle should work with i2p2.de TLS in order for this to be acceptable. You may need to send the CA bundle in the web server.

comment:5 follow-ups: Changed 6 years ago by luminosus

Hi there,

Since we now own a certificate from a trusted CA I'd like to remind you an issue I've set 6 months ago. We should configure our web server to redirect to https or even better apply the HTTP Strict Transport Security (HSTS) standard [0] for more security.

[0] https://tools.ietf.org/html/rfc6797

comment:6 Changed 5 years ago by guest

  • Resolution set to worksforme
  • Status changed from assigned to closed

comment:7 Changed 5 years ago by str4d

  • Resolution worksforme deleted
  • Status changed from closed to reopened

comment:8 Changed 5 years ago by guest

  • Resolution set to invalid
  • Status changed from reopened to closed

comment:9 Changed 5 years ago by str4d

  • Resolution invalid deleted
  • Status changed from closed to reopened

comment:10 in reply to: ↑ 5 Changed 5 years ago by killyourtv

Replying to luminosus:

Hi there,

Since we now own a certificate from a trusted CA I'd like to remind you an issue I've set 6 months ago. We should configure our web server to redirect to https or even better apply the HTTP Strict Transport Security (HSTS) standard [0] for more security.

[0] https://tools.ietf.org/html/rfc6797

I'll take care of HSTS on the Trac side.

comment:11 Changed 5 years ago by killyourtv

  • Milestone 0.9.6 deleted
  • Version 0.9.3 deleted

comment:12 Changed 5 years ago by killyourtv

  • Priority changed from minor to major

Also see #595 concerning HTTP login & register links on Trac.

comment:13 in reply to: ↑ 5 Changed 5 years ago by killyourtv

  • Resolution set to fixed
  • Status changed from reopened to closed

Replying to luminosus:

Hi there,

Since we now own a certificate from a trusted CA I'd like to remind you an issue I've set 6 months ago. We should configure our web server to redirect to https or even better apply the HTTP Strict Transport Security (HSTS) standard [0] for more security.

[0] https://tools.ietf.org/html/rfc6797

HSTS has been enabled on Trac.

Replying to guest:

Replying to str4d:

This has been completed, no? I see an SSL cert from Comodo on https://www.i2p2.de (though my TorBrowser? does not recognize the CA and says it is invalid).

Tor Browser Bundle should work with i2p2.de TLS in order for this to be acceptable. You may need to send the CA bundle in the web server.

Both https://www.i2p2.de & https://trac.i2p2.de work in my TBB so I think this ticket has been resolved.

Closing as resolved.

comment:14 Changed 5 years ago by killyourtv

  • Resolution fixed deleted
  • Status changed from closed to reopened

I tried https://www.i2p2.de from a Tails installation and I got a message about a failed trust path (I didn't have the foresight to get the exact message).

When I went to the site again there were no errors returned. Using gnutls-cli however:

$ gnutls-cli i2p2.de < /dev/null
Processed 164 CA certificate(s).
Resolving 'i2p2.de'...
Connecting to '2a01:4f8:121:4fff:0:1:248:202:443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `OU=Domain Control Validated,OU=COMODO SSL Wildcard,CN=*.i2p2.de', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO SSL CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-04-16 00:00:00 UTC', expires `2018-04-15 23:59:59 UTC', SHA-1 fingerprint `49da37afe2949b1672eb2dedfc8ca929ce48ecff'
        Public Key Id:
                5f6759276f1c6d7b0c7fa0f8fcf5151f142bfd83
        Public key's random art:
                +--[ RSA 2048]----+
                |               . |
                |              . +|
                |             .+==|
                |           . .+%=|
                |        S . oE+=X|
                |         . + o .B|
                |          . o   +|
                |             . .o|
                |              . .|
                +-----------------+

- Status: The certificate is NOT trusted. The certificate issuer is unknown. 
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.

Compare that with the results from the cert for trac.i2p2.de which I installed:

$ gnutls-cli trac.i2p2.de < /dev/null
Processed 164 CA certificate(s).
Resolving 'trac.i2p2.de'...
Connecting to '193.150.121.69:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `OU=Domain Control Validated,OU=COMODO SSL Wildcard,CN=*.i2p2.de', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO SSL CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-04-16 00:00:00 UTC', expires `2018-04-15 23:59:59 UTC', SHA-1 fingerprint `49da37afe2949b1672eb2dedfc8ca929ce48ecff'
        Public Key Id:
                5f6759276f1c6d7b0c7fa0f8fcf5151f142bfd83
        Public key's random art:
                +--[ RSA 2048]----+
                |               . |
                |              . +|
                |             .+==|
                |           . .+%=|
                |        S . oE+=X|
                |         . + o .B|
                |          . o   +|
                |             . .o|
                |              . .|
                +-----------------+

- Certificate[1] info:
 - subject `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO SSL CA', issuer `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA key 2048 bits, signed using RSA-SHA1, activated `2011-08-23 00:00:00 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `b4c66180c520bad688470ef80bb22beba8391c22'
- Status: The certificate is trusted. 
- Description: (TLS1.2-PKIX)-(RSA)-(AES-128-GCM)-(AEAD)
- Session ID: 3F:7B:1D:E9:8E:FD:63:E2:10:FE:DA:9A:EF:5A:DE:E8:46:03:93:FC:76:02:E3:74:90:DB:FD:45:9A:93:52:D8
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: AES-128-GCM
- MAC: AEAD
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

Reopening because it looks like the certificates are not installed/configured properly.

comment:15 Changed 5 years ago by killyourtv

I tried again and got the error in Firefox/Iceweasel:


Technical Details
        
        www.i2p2.de uses an invalid security certificate.

The certificate is not trusted because no issuer chain was provided.

(Error code: sec_error_unknown_issuer)
Last edited 5 years ago by killyourtv (previous) (diff)

Changed 5 years ago by killyourtv

comment:16 Changed 5 years ago by killyourtv

  • Resolution set to fixed
  • Status changed from reopened to closed

On second thought, since this is a new problem (we *do* have proper certs after all), I opened ticket:1113.

Note: See TracTickets for help on using tickets.