Just renewed my WMUK membership, and Firefox balked at the SSL certificate. The cert doesn't expire until 2019, but Firefox 54 doesn't like it.
Oddly, Chromium 58 is fine with it.
Can anyone see what's wrong, which CA Firefox doesn't like any more etc?
- d.
This seems to be a really odd and annoying error. I've come across it several times myself, using Firefox, but this time I had no problems with the certificate. I'm running Firefox for Mac 53.0.3 on MacOS Sierra.
Michael
David Gerard mailto:dgerard@gmail.com 15 June 2017 at 10:28 am Just renewed my WMUK membership, and Firefox balked at the SSL certificate. The cert doesn't expire until 2019, but Firefox 54 doesn't like it.
Oddly, Chromium 58 is fine with it.
Can anyone see what's wrong, which CA Firefox doesn't like any more etc?
- d.
Wikimedia UK mailing list wikimediauk-l@wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
Update to Firefox 54 (just hit the Ubuntu repos today) and see what it does?
On 15 June 2017 at 11:37, Michael Maggs Michael@maggs.name wrote:
This seems to be a really odd and annoying error. I've come across it several times myself, using Firefox, but this time I had no problems with the certificate. I'm running Firefox for Mac 53.0.3 on MacOS Sierra.
Michael
David Gerard dgerard@gmail.com 15 June 2017 at 10:28 am Just renewed my WMUK membership, and Firefox balked at the SSL certificate. The cert doesn't expire until 2019, but Firefox 54 doesn't like it.
Oddly, Chromium 58 is fine with it.
Can anyone see what's wrong, which CA Firefox doesn't like any more etc?
- d.
Wikimedia UK mailing list wikimediauk-l@wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
Wikimedia UK mailing list wikimediauk-l@wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
Hi
Please open a ticket for that and explain exactly what goes wrong. I'll have a look this WE.
Emmanuel
On 15.06.2017 12:52, David Gerard wrote:
Update to Firefox 54 (just hit the Ubuntu repos today) and see what it does?
On 15 June 2017 at 11:37, Michael Maggs <Michael@maggs.name mailto:Michael@maggs.name> wrote:
This seems to be a really odd and annoying error. I've come across it several times myself, using Firefox, but this time I had no problems with the certificate. I'm running Firefox for Mac 53.0.3 on MacOS Sierra. MichaelDavid Gerard <mailto:dgerard@gmail.com> 15 June 2017 at 10:28 am Just renewed my WMUK membership, and Firefox balked at the SSL certificate. The cert doesn't expire until 2019, but Firefox 54 doesn't like it. Oddly, Chromium 58 is fine with it. Can anyone see what's wrong, which CA Firefox doesn't like any more etc? - d. _______________________________________________ Wikimedia UK mailing list wikimediauk-l@wikimedia.org <mailto:wikimediauk-l@wikimedia.org> https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l <https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l> WMUK: https://wikimedia.org.uk_______________________________________________ Wikimedia UK mailing list wikimediauk-l@wikimedia.org <mailto:wikimediauk-l@wikimedia.org> https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l <https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l> WMUK: https://wikimedia.org.uk
not sure where I would file a ticket, but here's what happens:
go to site, you get:
Your connection is not secure The owner of donate.wikimedia.org.uk has configured their web site improperly. To protect your information from being stolen, Firefox has not connected to this web site. donate.wikimedia.org.uk uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER
so Michael Maggs may have the necessary intermediate cert already installed, and I don't (but do in Chromium).
SSL Labs doesn't like it either: https://www.ssllabs.com/ssltest/analyze.html?d=donate.wikimedia.org.uk&l... Chain issues Incomplete, Extra certs Signature algorithm SHA1withRSA INSECURE Intermediate certificate has an insecure signature. Upgrade to SHA2 as soon as possible to avoid browser warnings.
Extra download Gandi Pro SSL CA 2 Fingerprint SHA256: 1f2028716e33584f33fa920a80247beecdc3d7cb26519554c644ce4c4c6077a9 Pin SHA256: XQpYwYiHpVLml4eYccUVEZJpEOh5QrryTkXbWPum2FM= RSA 2048 bits (e 65537) / SHA384withRSA
Extra download USERTrust RSA Certification Authority Fingerprint SHA256: 1a5174980a294a528a110726d5855650266c48d9883bea692b67b6d726da98c5 Pin SHA256: x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4= RSA 4096 bits (e 65537) / SHA384withRSA
- d.
On 15 June 2017 at 12:04, Emmanuel Engelhart emmanuel@engelhart-software.com wrote:
Hi
Please open a ticket for that and explain exactly what goes wrong. I'll have a look this WE.
Emmanuel
On 15.06.2017 12:52, David Gerard wrote:
Update to Firefox 54 (just hit the Ubuntu repos today) and see what it does?
On 15 June 2017 at 11:37, Michael Maggs <Michael@maggs.name mailto:Michael@maggs.name> wrote:
This seems to be a really odd and annoying error. I've come across it several times myself, using Firefox, but this time I had no problems with the certificate. I'm running Firefox for Mac 53.0.3 on MacOS Sierra. MichaelDavid Gerard <mailto:dgerard@gmail.com> 15 June 2017 at 10:28 am Just renewed my WMUK membership, and Firefox balked at the SSL certificate. The cert doesn't expire until 2019, but Firefox 54 doesn't like it. Oddly, Chromium 58 is fine with it. Can anyone see what's wrong, which CA Firefox doesn't like any more etc? - d. _______________________________________________ Wikimedia UK mailing list wikimediauk-l@wikimedia.org <mailto:wikimediauk-l@wikimedia.org> https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l <https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l> WMUK: https://wikimedia.org.uk_______________________________________________ Wikimedia UK mailing list wikimediauk-l@wikimedia.org <mailto:wikimediauk-l@wikimedia.org> https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l <https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l> WMUK: https://wikimedia.org.uk-- Emmanuel Engelhart Software Development Expert Zurich, Switzerland +41 797 670 398
On 15/06/17 12:04, Emmanuel Engelhart wrote:
Hi
Please open a ticket for that and explain exactly what goes wrong. I'll have a look this WE.
Emmanuel
Some ancient history...
Gordo
On 02/10/16 22:38, Neil Harris wrote:
On 02/10/16 17:50, Gordon Joly wrote:
I belief that problem with Firefox is extant.
Gordo
The Qualys SSL checker:
https://www.ssllabs.com/ssltest/analyze.html?d=wikimedia.org.uk&latest
is less than happy about the site, granting it only a grade C for both the IPv4 and IPv6 configurations. See the reports generated there for a whole bunch of warnings regarding potential vulnerabilities and other technical glitches regarding both the certificate and server
configuration.
Neil
Wikimedia UK mailing list wikimediauk-l@wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
Ubuntu? Michael appears to be running Sierra, which is also known as "SLOWER"... when it comes to updates :-)
Firefox 53.0.3 on Linux Mint 18.1 (an Ubuntu fork) here at LoopZilla HQ.
On 15/06/17 11:52, David Gerard wrote:
Update to Firefox 54 (just hit the Ubuntu repos today) and see what it does?
On 15 June 2017 at 11:37, Michael Maggs <Michael@maggs.name mailto:Michael@maggs.name> wrote:
This seems to be a really odd and annoying error. I've come across it several times myself, using Firefox, but this time I had no problems with the certificate. I'm running Firefox for Mac 53.0.3 on MacOS Sierra. MichaelDavid Gerard <mailto:dgerard@gmail.com> 15 June 2017 at 10:28 am Just renewed my WMUK membership, and Firefox balked at the SSL certificate. The cert doesn't expire until 2019, but Firefox 54 doesn't like it. Oddly, Chromium 58 is fine with it. Can anyone see what's wrong, which CA Firefox doesn't like any more etc? - d. _______________________________________________ Wikimedia UK mailing list wikimediauk-l@wikimedia.org <mailto:wikimediauk-l@wikimedia.org> https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l <https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l> WMUK: https://wikimedia.org.uk_______________________________________________ Wikimedia UK mailing list wikimediauk-l@wikimedia.org <mailto:wikimediauk-l@wikimedia.org> https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l <https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l> WMUK: https://wikimedia.org.uk
Wikimedia UK mailing list wikimediauk-l@wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
On 15.06.2017 12:37, Michael Maggs wrote:
This seems to be a really odd and annoying error. I've come across it several times myself, using Firefox, but this time I had no problems with the certificate. I'm running Firefox for Mac 53.0.3 on MacOS Sierra.
Michael
David Gerard mailto:dgerard@gmail.com 15 June 2017 at 10:28 am Just renewed my WMUK membership, and Firefox balked at the SSL certificate. The cert doesn't expire until 2019, but Firefox 54 doesn't like it.
Oddly, Chromium 58 is fine with it.
Can anyone see what's wrong, which CA Firefox doesn't like any more etc?
@David
I had a look and unfortunately I can not reproduce the FF54 specific problem: FF54 reports https://donates.wikimedia.org.uk as a secure connection.
Please next time open directly a ticket at https://bugzilla.wikimedia.org.uk/
Emmanuel
https://www.ssllabs.com/ssltest/analyze.html?d=donate.wikimedia.org.uk&l... is as broken as ever and clearly shows the incomplete cert chain issue.
I'm not going to mess around with yet another Bugzilla when what I'm reporting on is that I'm trying to give WMUK money and the site's not working properly. Y'know, WMUK can either care or not.
On 25 June 2017 at 07:50, Emmanuel Engelhart emmanuel@engelhart-software.com wrote:
On 15.06.2017 12:37, Michael Maggs wrote:
This seems to be a really odd and annoying error. I've come across it several times myself, using Firefox, but this time I had no problems with the certificate. I'm running Firefox for Mac 53.0.3 on MacOS Sierra.
Michael
David Gerard mailto:dgerard@gmail.com 15 June 2017 at 10:28 am Just renewed my WMUK membership, and Firefox balked at the SSL certificate. The cert doesn't expire until 2019, but Firefox 54 doesn't like it.
Oddly, Chromium 58 is fine with it.
Can anyone see what's wrong, which CA Firefox doesn't like any more etc?
@David
I had a look and unfortunately I can not reproduce the FF54 specific problem: FF54 reports https://donates.wikimedia.org.uk as a secure connection.
Please next time open directly a ticket at https://bugzilla.wikimedia.org.uk/
Emmanuel
-- Emmanuel Engelhart Software Development Expert Zurich, Switzerland +41 797 670 398
Wikimedia UK mailing list wikimediauk-l@wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
I'd question whether anyone would see the Bugzilla bug without actually looking, as most people probably won't be seeing any of the emails from it.
Sort of amusingly, that particular issue has its own bug report https://bugzilla.wikimedia.org.uk/show_bug.cgi?id=431 which doesn't appear to have been worked on yet.
-- Lewis Cawte
On Sun, 25 Jun 2017 at 09:22 David Gerard dgerard@gmail.com wrote:
https://www.ssllabs.com/ssltest/analyze.html?d=donate.wikimedia.org.uk&l... is as broken as ever and clearly shows the incomplete cert chain issue.
I'm not going to mess around with yet another Bugzilla when what I'm reporting on is that I'm trying to give WMUK money and the site's not working properly. Y'know, WMUK can either care or not.
On 25 June 2017 at 07:50, Emmanuel Engelhart emmanuel@engelhart-software.com wrote:
On 15.06.2017 12:37, Michael Maggs wrote:
This seems to be a really odd and annoying error. I've come across it several times myself, using Firefox, but this time I had no problems with the certificate. I'm running Firefox for Mac 53.0.3 on MacOS
Sierra.
Michael
David Gerard mailto:dgerard@gmail.com 15 June 2017 at 10:28 am Just renewed my WMUK membership, and Firefox balked at the SSL certificate. The cert doesn't expire until 2019, but Firefox 54 doesn't like it.
Oddly, Chromium 58 is fine with it.
Can anyone see what's wrong, which CA Firefox doesn't like any more
etc?
@David
I had a look and unfortunately I can not reproduce the FF54 specific problem: FF54 reports https://donates.wikimedia.org.uk as a secure connection.
Please next time open directly a ticket at https://bugzilla.wikimedia.org.uk/
Emmanuel
-- Emmanuel Engelhart Software Development Expert Zurich, Switzerland +41 797 670 398
Wikimedia UK mailing list wikimediauk-l@wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
Wikimedia UK mailing list wikimediauk-l@wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
On 25/06/17 09:31, Lewis Cawte wrote:
Sort of amusingly, that particular issue has its own bug report https://bugzilla.wikimedia.org.uk/show_bug.cgi?id=431 which doesn't appear to have been worked on yet.
-- Lewis Cawte
I have done the SPF/DKIM/DMARC faffage for my own server, which has several domains. You would need access to the DNS server, namely ns{1,2,3}.livedns.co.uk, and setting up an email address to monitor the DMARC quarantine email alerts.
I have had excellent results. No more blacklisting for my server!
Gordon
On 25/06/17 09:31, Lewis Cawte wrote:
I'd question whether anyone would see the Bugzilla bug without actually looking, as most people probably won't be seeing any of the emails from it.
Sort of amusingly, that particular issue has its own bug report https://bugzilla.wikimedia.org.uk/show_bug.cgi?id=431 which doesn't appear to have been worked on yet.
-- Lewis Cawte
Thought I would sign up for Bugzilla. You know, put in my two cents worth...
Pobox.com caught the email:-
Date From Subject Caught By
Jun 25, 2:11 pm bugs@wikimedia.org.uk Bugzilla: confirm account creation dnsbl/zen.spamhaus.org
Gordo
Yep emails need some work; but because of the reason below its hard to fix.
As to DKIM etc. the domain is currently registered with fasthost who have limited features in their DNS control panel.
Will talk to Emmanuel about fixing it.
T
On 25 Jun 2017 19:20, "Gordon Joly" gordon.joly@pobox.com wrote:
On 25/06/17 09:31, Lewis Cawte wrote:
I'd question whether anyone would see the Bugzilla bug without actually looking, as most people probably won't be seeing any of the emails from
it.
Sort of amusingly, that particular issue has its own bug report https://bugzilla.wikimedia.org.uk/show_bug.cgi?id=431 which doesn't appear to have been worked on yet.
-- Lewis Cawte
Thought I would sign up for Bugzilla. You know, put in my two cents worth...
Pobox.com caught the email:-
Date From Subject Caught By Jun 25, 2:11 pm bugs@wikimedia.org.uk Bugzilla: confirm accountcreation dnsbl/zen.spamhaus.org
Gordo
Wikimedia UK mailing list wikimediauk-l@wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
On 25 June 2017 at 09:18 David Gerard <dgerard@gmail.com> wrote:https://www.ssllabs.com/ssltest/analyze.html?d=donate.wikimedia.org.uk&l... is as broken as ever and clearly shows the incomplete cert chain issue.
I'm not going to mess around with yet another Bugzilla when what I'm reporting on is that I'm trying to give WMUK money and the site's not working properly. Y'know, WMUK can either care or not.
I believe they accept cheques. Charles
taking a look this morning. Stay tuned.
T
On Sun, 25 Jun 2017 at 10:21 Charles Matthews < charles.r.matthews@ntlworld.com> wrote:
On 25 June 2017 at 09:18 David Gerard dgerard@gmail.com wrote:
https://www.ssllabs.com/ssltest/analyze.html?d=donate.wikimedia.org.uk&l... is as broken as ever and clearly shows the incomplete cert chain issue.
I'm not going to mess around with yet another Bugzilla when what I'm reporting on is that I'm trying to give WMUK money and the site's not working properly. Y'know, WMUK can either care or not.
I believe they accept cheques. Charles _______________________________________________ Wikimedia UK mailing list wikimediauk-l@wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
Morning all.
I've taken a look and I think have resolved all the existing issues. We're now getting an A on SSLLabs :) Charles can you check if the issue is resolved.
Just to be clear on an important change; I've disabled TLSV1.1 and below on the confidential server (board wiki and CiviCRM/Donate page). This is because I feel it needs a boost in security; what this DOES mean is that it now no longer supports Android versions below 4.4 and IE 10 and below.
If this poses a problem I can re-enable it, but standard practice is to move away from TLSV1.1 and below.
I've left the website/wiki with the ealier TLS versions for wider support for now.
Sorry it took so long to get to this; my Gmail I don't check so often nowadays and I get a lot of junk that hides meaningful things; I've unsubscribed from lots of stuff and sorted some filters out to help with this. I'll also subscribe my work address to this list.
Cheers, Tom
On Sun, 25 Jun 2017 at 10:35 Thomas Morton morton.thomas@googlemail.com wrote:
taking a look this morning. Stay tuned.
T
On Sun, 25 Jun 2017 at 10:21 Charles Matthews < charles.r.matthews@ntlworld.com> wrote:
On 25 June 2017 at 09:18 David Gerard dgerard@gmail.com wrote:
https://www.ssllabs.com/ssltest/analyze.html?d=donate.wikimedia.org.uk&l... is as broken as ever and clearly shows the incomplete cert chain issue.
I'm not going to mess around with yet another Bugzilla when what I'm reporting on is that I'm trying to give WMUK money and the site's not working properly. Y'know, WMUK can either care or not.
I believe they accept cheques. Charles _______________________________________________ Wikimedia UK mailing list wikimediauk-l@wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
What a star!
Gordo
On 25/06/17 11:05, Thomas Morton wrote:
Morning all.
I've taken a look and I think have resolved all the existing issues. We're now getting an A on SSLLabs :) Charles can you check if the issue is resolved.
Just to be clear on an important change; I've disabled TLSV1.1 and below on the confidential server (board wiki and CiviCRM/Donate page). This is because I feel it needs a boost in security; what this DOES mean is that it now no longer supports Android versions below 4.4 and IE 10 and below.
If this poses a problem I can re-enable it, but standard practice is to move away from TLSV1.1 and below.
I've left the website/wiki with the ealier TLS versions for wider support for now.
Sorry it took so long to get to this; my Gmail I don't check so often nowadays and I get a lot of junk that hides meaningful things; I've unsubscribed from lots of stuff and sorted some filters out to help with this. I'll also subscribe my work address to this list.
Cheers, Tom
On Sun, 25 Jun 2017 at 10:35 Thomas Morton <morton.thomas@googlemail.com mailto:morton.thomas@googlemail.com> wrote:
taking a look this morning. Stay tuned. T On Sun, 25 Jun 2017 at 10:21 Charles Matthews <charles.r.matthews@ntlworld.com <mailto:charles.r.matthews@ntlworld.com>> wrote:On 25 June 2017 at 09:18 David Gerard <dgerard@gmail.com <mailto:dgerard@gmail.com>> wrote: https://www.ssllabs.com/ssltest/analyze.html?d=donate.wikimedia.org.uk&latest is as broken as ever and clearly shows the incomplete cert chain issue. I'm not going to mess around with yet another Bugzilla when what I'm reporting on is that I'm trying to give WMUK money and the site's not working properly. Y'know, WMUK can either care or not.I believe they accept cheques. Charles _______________________________________________ Wikimedia UK mailing list wikimediauk-l@wikimedia.org <mailto:wikimediauk-l@wikimedia.org> https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
Wikimedia UK mailing list wikimediauk-l@wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
Hi all
I'm very sorry these issues are continuing - and thanks for you attempts to resolve them Tom. I'm away on holiday for the next two weeks but if you need to speak to someone in the office please contact Davina on 020 7065 0990.
David, I will email you separately about this.
Thanks all and best wishes Lucy
On 25 June 2017 at 12:10, Gordon Joly gordon.joly@pobox.com wrote:
What a star!
Gordo
On 25/06/17 11:05, Thomas Morton wrote:
Morning all.
I've taken a look and I think have resolved all the existing issues. We're now getting an A on SSLLabs :) Charles can you check if the issue is resolved.
Just to be clear on an important change; I've disabled TLSV1.1 and below on the confidential server (board wiki and CiviCRM/Donate page). This is because I feel it needs a boost in security; what this DOES mean is that it now no longer supports Android versions below 4.4 and IE 10 and below.
If this poses a problem I can re-enable it, but standard practice is to move away from TLSV1.1 and below.
I've left the website/wiki with the ealier TLS versions for wider support for now.
Sorry it took so long to get to this; my Gmail I don't check so often nowadays and I get a lot of junk that hides meaningful things; I've unsubscribed from lots of stuff and sorted some filters out to help with this. I'll also subscribe my work address to this list.
Cheers, Tom
On Sun, 25 Jun 2017 at 10:35 Thomas Morton <morton.thomas@googlemail.com mailto:morton.thomas@googlemail.com> wrote:
taking a look this morning. Stay tuned. T On Sun, 25 Jun 2017 at 10:21 Charles Matthews <charles.r.matthews@ntlworld.com <mailto:charles.r.matthews@ntlworld.com>> wrote:On 25 June 2017 at 09:18 David Gerard <dgerard@gmail.com <mailto:dgerard@gmail.com>> wrote: https://www.ssllabs.com/ssltest/analyze.html?d=donate.wikimedia.org.uk&latest
is as broken as ever and clearly shows the incomplete cert chain issue. I'm not going to mess around with yet another Bugzilla when what I'm reporting on is that I'm trying to give WMUK money and the site's not working properly. Y'know, WMUK can either care or not.I believe they accept cheques. Charles _______________________________________________ Wikimedia UK mailing list wikimediauk-l@wikimedia.org <mailto:wikimediauk-l@wikimedia.org> https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
Wikimedia UK mailing list wikimediauk-l@wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
Wikimedia UK mailing list wikimediauk-l@wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
wikimediauk-l@lists.wikimedia.org