Opened 7 years ago

Closed 6 years ago

#794 closed defect (fixed)

Set up SSL certs from a "legitimate" CA

Reported by: dg Owned by: welterde
Priority: major Milestone:
Component: www/i2p Version:
Keywords: Cc: luminosus@…
Parent Tickets: Sensitive: no

Description

SSL on the websites is important, IMHO.
Having users get MITM'd isn't great, and whilst CACert is trusted by some browsers and is valid for say, a lot of Linux users — it's useless for Windows etc users who are trying to get i2p securely.
There's flaws with HTTPS, we all know this but a legitimate CA's cert would be better than none/invalid.

Subtickets

Attachments (1)

nottrusted.png (80.2 KB) - added by killyourtv 6 years ago.

Download all attachments as: .zip

Change History (17)

comment:1 Changed 7 years ago by dg

Owner: set to welterde
Status: newassigned

comment:2 Changed 7 years ago by luminosus

Cc: luminosus@… added

I'd also like to bring to your attention, in case of you haven't heard of it already, the HSTS [0] standard which is a lot safer than a simple redirect from http to https.

Thank you,

[0] https://tools.ietf.org/html/rfc6797

comment:3 Changed 6 years ago by str4d

Milestone: 0.9.40.9.6
Summary: SSLSet up SSL certs from a "legitimate" CA

This has been completed, no? I see an SSL cert from Comodo on https://www.i2p2.de (though my TorBrowser? does not recognize the CA and says it is invalid).

comment:4 in reply to:  3 Changed 6 years ago by DISABLED

Replying to str4d:

This has been completed, no? I see an SSL cert from Comodo on https://www.i2p2.de (though my TorBrowser? does not recognize the CA and says it is invalid).

Tor Browser Bundle should work with i2p2.de TLS in order for this to be acceptable. You may need to send the CA bundle in the web server.

comment:5 Changed 6 years ago by luminosus

Hi there,

Since we now own a certificate from a trusted CA I'd like to remind you an issue I've set 6 months ago. We should configure our web server to redirect to https or even better apply the HTTP Strict Transport Security (HSTS) standard [0] for more security.

[0] https://tools.ietf.org/html/rfc6797

comment:6 Changed 6 years ago by DISABLED

Resolution: worksforme
Status: assignedclosed

comment:7 Changed 6 years ago by str4d

Resolution: worksforme
Status: closedreopened

comment:8 Changed 6 years ago by DISABLED

Resolution: invalid
Status: reopenedclosed

comment:9 Changed 6 years ago by str4d

Resolution: invalid
Status: closedreopened

comment:10 in reply to:  5 Changed 6 years ago by killyourtv

Replying to luminosus:

Hi there,

Since we now own a certificate from a trusted CA I'd like to remind you an issue I've set 6 months ago. We should configure our web server to redirect to https or even better apply the HTTP Strict Transport Security (HSTS) standard [0] for more security.

[0] https://tools.ietf.org/html/rfc6797

I'll take care of HSTS on the Trac side.

comment:11 Changed 6 years ago by killyourtv

Milestone: 0.9.6
Version: 0.9.3

comment:12 Changed 6 years ago by killyourtv

Priority: minormajor

Also see #595 concerning HTTP login & register links on Trac.

comment:13 in reply to:  5 Changed 6 years ago by killyourtv

Resolution: fixed
Status: reopenedclosed

Replying to luminosus:

Hi there,

Since we now own a certificate from a trusted CA I'd like to remind you an issue I've set 6 months ago. We should configure our web server to redirect to https or even better apply the HTTP Strict Transport Security (HSTS) standard [0] for more security.

[0] https://tools.ietf.org/html/rfc6797

HSTS has been enabled on Trac.

Replying to guest:

Replying to str4d:

This has been completed, no? I see an SSL cert from Comodo on https://www.i2p2.de (though my TorBrowser? does not recognize the CA and says it is invalid).

Tor Browser Bundle should work with i2p2.de TLS in order for this to be acceptable. You may need to send the CA bundle in the web server.

Both https://www.i2p2.de & https://trac.i2p2.de work in my TBB so I think this ticket has been resolved.

Closing as resolved.

comment:14 Changed 6 years ago by killyourtv

Resolution: fixed
Status: closedreopened

I tried https://www.i2p2.de from a Tails installation and I got a message about a failed trust path (I didn't have the foresight to get the exact message).

When I went to the site again there were no errors returned. Using gnutls-cli however:

$ gnutls-cli i2p2.de < /dev/null
Processed 164 CA certificate(s).
Resolving 'i2p2.de'...
Connecting to '2a01:4f8:121:4fff:0:1:248:202:443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `OU=Domain Control Validated,OU=COMODO SSL Wildcard,CN=*.i2p2.de', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO SSL CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-04-16 00:00:00 UTC', expires `2018-04-15 23:59:59 UTC', SHA-1 fingerprint `49da37afe2949b1672eb2dedfc8ca929ce48ecff'
        Public Key Id:
                5f6759276f1c6d7b0c7fa0f8fcf5151f142bfd83
        Public key's random art:
                +--[ RSA 2048]----+
                |               . |
                |              . +|
                |             .+==|
                |           . .+%=|
                |        S . oE+=X|
                |         . + o .B|
                |          . o   +|
                |             . .o|
                |              . .|
                +-----------------+

- Status: The certificate is NOT trusted. The certificate issuer is unknown. 
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.

Compare that with the results from the cert for trac.i2p2.de which I installed:

$ gnutls-cli trac.i2p2.de < /dev/null
Processed 164 CA certificate(s).
Resolving 'trac.i2p2.de'...
Connecting to '193.150.121.69:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `OU=Domain Control Validated,OU=COMODO SSL Wildcard,CN=*.i2p2.de', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO SSL CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-04-16 00:00:00 UTC', expires `2018-04-15 23:59:59 UTC', SHA-1 fingerprint `49da37afe2949b1672eb2dedfc8ca929ce48ecff'
        Public Key Id:
                5f6759276f1c6d7b0c7fa0f8fcf5151f142bfd83
        Public key's random art:
                +--[ RSA 2048]----+
                |               . |
                |              . +|
                |             .+==|
                |           . .+%=|
                |        S . oE+=X|
                |         . + o .B|
                |          . o   +|
                |             . .o|
                |              . .|
                +-----------------+

- Certificate[1] info:
 - subject `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO SSL CA', issuer `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA key 2048 bits, signed using RSA-SHA1, activated `2011-08-23 00:00:00 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `b4c66180c520bad688470ef80bb22beba8391c22'
- Status: The certificate is trusted. 
- Description: (TLS1.2-PKIX)-(RSA)-(AES-128-GCM)-(AEAD)
- Session ID: 3F:7B:1D:E9:8E:FD:63:E2:10:FE:DA:9A:EF:5A:DE:E8:46:03:93:FC:76:02:E3:74:90:DB:FD:45:9A:93:52:D8
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: AES-128-GCM
- MAC: AEAD
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

Reopening because it looks like the certificates are not installed/configured properly.

comment:15 Changed 6 years ago by killyourtv

I tried again and got the error in Firefox/Iceweasel:


Technical Details
        
        www.i2p2.de uses an invalid security certificate.

The certificate is not trusted because no issuer chain was provided.

(Error code: sec_error_unknown_issuer)
Last edited 6 years ago by killyourtv (previous) (diff)

Changed 6 years ago by killyourtv

Attachment: nottrusted.png added

comment:16 Changed 6 years ago by killyourtv

Resolution: fixed
Status: reopenedclosed

On second thought, since this is a new problem (we *do* have proper certs after all), I opened ticket:1113.

Note: See TracTickets for help on using tickets.