Opened 6 years ago
Closed 5 years ago
#794 closed defect (fixed)
Set up SSL certs from a "legitimate" CA
| Reported by: | dg | Owned by: | welterde |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | www/i2p | Version: | |
| Keywords: | Cc: | luminosus@… | |
| Parent Tickets: |
Description
SSL on the websites is important, IMHO.
Having users get MITM'd isn't great, and whilst CACert is trusted by some browsers and is valid for say, a lot of Linux users -- it's useless for Windows etc users who are trying to get i2p securely.
There's flaws with HTTPS, we all know this but a legitimate CA's cert would be better than none/invalid.
Subtickets
Attachments (1)
Change History (17)
comment:1 Changed 6 years ago by dg
- Owner set to welterde
- Status changed from new to assigned
comment:2 Changed 6 years ago by luminosus
- Cc luminosus@… added
comment:3 follow-up: ↓ 4 Changed 6 years ago by str4d
- Milestone changed from 0.9.4 to 0.9.6
- Summary changed from SSL to Set up SSL certs from a "legitimate" CA
This has been completed, no? I see an SSL cert from Comodo on https://www.i2p2.de (though my TorBrowser? does not recognize the CA and says it is invalid).
comment:4 in reply to: ↑ 3 Changed 6 years ago by guest
Replying to str4d:
This has been completed, no? I see an SSL cert from Comodo on https://www.i2p2.de (though my TorBrowser? does not recognize the CA and says it is invalid).
Tor Browser Bundle should work with i2p2.de TLS in order for this to be acceptable. You may need to send the CA bundle in the web server.
comment:5 follow-ups: ↓ 10 ↓ 13 Changed 6 years ago by luminosus
Hi there,
Since we now own a certificate from a trusted CA I'd like to remind you an issue I've set 6 months ago. We should configure our web server to redirect to https or even better apply the HTTP Strict Transport Security (HSTS) standard [0] for more security.
comment:6 Changed 6 years ago by guest
- Resolution set to worksforme
- Status changed from assigned to closed
comment:7 Changed 6 years ago by str4d
- Resolution worksforme deleted
- Status changed from closed to reopened
comment:8 Changed 6 years ago by guest
- Resolution set to invalid
- Status changed from reopened to closed
comment:9 Changed 6 years ago by str4d
- Resolution invalid deleted
- Status changed from closed to reopened
comment:10 in reply to: ↑ 5 Changed 6 years ago by killyourtv
Replying to luminosus:
Hi there,
Since we now own a certificate from a trusted CA I'd like to remind you an issue I've set 6 months ago. We should configure our web server to redirect to https or even better apply the HTTP Strict Transport Security (HSTS) standard [0] for more security.
I'll take care of HSTS on the Trac side.
comment:11 Changed 6 years ago by killyourtv
- Milestone 0.9.6 deleted
- Version 0.9.3 deleted
comment:12 Changed 6 years ago by killyourtv
- Priority changed from minor to major
Also see #595 concerning HTTP login & register links on Trac.
comment:13 in reply to: ↑ 5 Changed 6 years ago by killyourtv
- Resolution set to fixed
- Status changed from reopened to closed
Replying to luminosus:
Hi there,
Since we now own a certificate from a trusted CA I'd like to remind you an issue I've set 6 months ago. We should configure our web server to redirect to https or even better apply the HTTP Strict Transport Security (HSTS) standard [0] for more security.
HSTS has been enabled on Trac.
Replying to guest:
Replying to str4d:
This has been completed, no? I see an SSL cert from Comodo on https://www.i2p2.de (though my TorBrowser? does not recognize the CA and says it is invalid).
Tor Browser Bundle should work with i2p2.de TLS in order for this to be acceptable. You may need to send the CA bundle in the web server.
Both https://www.i2p2.de & https://trac.i2p2.de work in my TBB so I think this ticket has been resolved.
Closing as resolved.
comment:14 Changed 5 years ago by killyourtv
- Resolution fixed deleted
- Status changed from closed to reopened
I tried https://www.i2p2.de from a Tails installation and I got a message about a failed trust path (I didn't have the foresight to get the exact message).
When I went to the site again there were no errors returned. Using gnutls-cli however:
$ gnutls-cli i2p2.de < /dev/null
Processed 164 CA certificate(s).
Resolving 'i2p2.de'...
Connecting to '2a01:4f8:121:4fff:0:1:248:202:443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `OU=Domain Control Validated,OU=COMODO SSL Wildcard,CN=*.i2p2.de', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO SSL CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-04-16 00:00:00 UTC', expires `2018-04-15 23:59:59 UTC', SHA-1 fingerprint `49da37afe2949b1672eb2dedfc8ca929ce48ecff'
Public Key Id:
5f6759276f1c6d7b0c7fa0f8fcf5151f142bfd83
Public key's random art:
+--[ RSA 2048]----+
| . |
| . +|
| .+==|
| . .+%=|
| S . oE+=X|
| . + o .B|
| . o +|
| . .o|
| . .|
+-----------------+
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
Compare that with the results from the cert for trac.i2p2.de which I installed:
$ gnutls-cli trac.i2p2.de < /dev/null
Processed 164 CA certificate(s).
Resolving 'trac.i2p2.de'...
Connecting to '193.150.121.69:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `OU=Domain Control Validated,OU=COMODO SSL Wildcard,CN=*.i2p2.de', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO SSL CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-04-16 00:00:00 UTC', expires `2018-04-15 23:59:59 UTC', SHA-1 fingerprint `49da37afe2949b1672eb2dedfc8ca929ce48ecff'
Public Key Id:
5f6759276f1c6d7b0c7fa0f8fcf5151f142bfd83
Public key's random art:
+--[ RSA 2048]----+
| . |
| . +|
| .+==|
| . .+%=|
| S . oE+=X|
| . + o .B|
| . o +|
| . .o|
| . .|
+-----------------+
- Certificate[1] info:
- subject `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO SSL CA', issuer `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA key 2048 bits, signed using RSA-SHA1, activated `2011-08-23 00:00:00 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `b4c66180c520bad688470ef80bb22beba8391c22'
- Status: The certificate is trusted.
- Description: (TLS1.2-PKIX)-(RSA)-(AES-128-GCM)-(AEAD)
- Session ID: 3F:7B:1D:E9:8E:FD:63:E2:10:FE:DA:9A:EF:5A:DE:E8:46:03:93:FC:76:02:E3:74:90:DB:FD:45:9A:93:52:D8
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: AES-128-GCM
- MAC: AEAD
- Compression: NULL
- Handshake was completed
- Simple Client Mode:
Reopening because it looks like the certificates are not installed/configured properly.
comment:15 Changed 5 years ago by killyourtv
I tried again and got the error in Firefox/Iceweasel:
Technical Details
www.i2p2.de uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)
Changed 5 years ago by killyourtv
comment:16 Changed 5 years ago by killyourtv
- Resolution set to fixed
- Status changed from reopened to closed
On second thought, since this is a new problem (we *do* have proper certs after all), I opened ticket:1113.
I'd also like to bring to your attention, in case of you haven't heard of it already, the HSTS [0] standard which is a lot safer than a simple redirect from http to https.
Thank you,
[0] https://tools.ietf.org/html/rfc6797