The site does not work in the Android browser. When I press "View certificate" this is what I see:
Common name: bankportal.preprod.evry.com (this is the same as the URL I am trying to reach) Organisation: EVRY AS Organisational unit: Terms of use at www.verisign.com/rpa (c)05 Issued by: Common name: VeriSign Class 3 International Server CA - G3 Organisation: VeriSign, Inc Organisational unit: VeriSign Trust Network Validity: Issued on: 17/09/2013 Expires on: 18/10/2014 And here is the certificates: Certificate chain 0 s:/C=NO/ST=Norway/L=Oslo/O=EVRY AS/OU=Terms of use at www.verisign.com/rpa (c)05/CN=bankportal.preprod.evry.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3 -----BEGIN CERTIFICATE----- MIIFcjCCBFqgAwIBAgIQFvVcSSJbF5BMJLblxQk/4zANBgkqhkiG9w0BAQUFADCB vDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMt VmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMB4X DTEzMDkxNzAwMDAwMFoXDTE0MTAxNzIzNTk1OVowgZoxCzAJBgNVBAYTAk5PMQ8w DQYDVQQIEwZOb3J3YXkxDTALBgNVBAcUBE9zbG8xEDAOBgNVBAoUB0VWUlkgQVMx MzAxBgNVBAsUKlRlcm1zIG9mIHVzZSBhdCB3d3cudmVyaXNpZ24uY29tL3JwYSAo YykwNTEkMCIGA1UEAxQbYmFua3BvcnRhbC5wcmVwcm9kLmV2cnkuY29tMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzTLg1+OlcWSjAXDvBhESgGq42VKV tMnP/m74JTVuOHTCnkRzc/bakycqtPx5IVM4IeDpS03+F0n33HJ8VHVLUUEF7aQi qQXxY+x3XP5QRdAM6GQJswo9xFBUMqgjymzLSUsL8MjUsUAnNRPH7jazb10OX49t Ozm6NOQNfxhqGsTSAtGsE7dEE5HlfXS0Qc6ofk7e0Yre5onQwDndeDpopwyYvW8x NxztzdO20APo157NsNqpeLK2p6E4PQKwT1q4qSO9z1kdDXxEeKuHCHT6iVaZE2gd YdWPvdlkQjkKWJyb75kF+JLZ9fPtXDbZ7HZuwfQeLjgcCdKTwfb+skFhtQIDAQAB o4IBjjCCAYowJgYDVR0RBB8wHYIbYmFua3BvcnRhbC5wcmVwcm9kLmV2cnkuY29t MAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMEMGA1UdIAQ8MDowOAYKYIZIAYb4 RQEHNjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3Bz MEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9TVlJJbnRsLUczLWNybC52ZXJpc2ln bi5jb20vU1ZSSW50bEczLmNybDAoBgNVHSUEITAfBggrBgEFBQcDAQYIKwYBBQUH AwIGCWCGSAGG+EIEATAfBgNVHSMEGDAWgBTXm3zYIqAV992tX84pm1jDvEYAtTBy BggrBgEFBQcBAQRmMGQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWdu LmNvbTA8BggrBgEFBQcwAoYwaHR0cDovL1NWUkludGwtRzMtYWlhLnZlcmlzaWdu LmNvbS9TVlJJbnRsRzMuY2VyMA0GCSqGSIb3DQEBBQUAA4IBAQBO2gCFzxsLDLlO CQmRSn2URT+Nry4w33AWl4glhQZtKOkHgDSPUkWrKQLndKw3KNZVnVLOHUEk+Mjn 8ghvZuqmaAiGFKb2M44MuCxVYFx2hvtk6g+DEXIp6Nh3uLcQY1it386b2b8mqQJ6 XtEMpxSo/qmcdeZwSNL8IYDj0XMMCGSu0zpeT/GSDkN/wEyICmkRMO9tgOkB0bdY WhU1uWFIFLxemFiFB/PBX/hdtaGzAws4BrkuJSOw90u/73GoJqlMYT205ivbrMm8 bBXypXPWc/T5f8qCp4+KaZeAAlOXbVDL1KlVj2v6uWYP4nLpfdrJ4SgQFdzGJ+xK 7Ly/zZE4 -----END CERTIFICATE----- 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority -----BEGIN CERTIFICATE----- MIIEkDCCA/mgAwIBAgIQGwk7eGCW2je7pFGURsiWeDANBgkqhkiG9w0BAQUFADBf MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8 RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/ Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB AAGjggFbMIIBVzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0 dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9 BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v b2NzcC52ZXJpc2lnbi5jb20wDQYJKoZIhvcNAQEFBQADgYEAo819HvfHdY1I51Y0 TACQdalRpVbBbbz+9VMi6ZiirJp+cB6zjjtF44aVMdptTPs0UICWzSTyQN8EP+Jl zjQiYRXqZnBk0vFu88oYWWpBRn6C3hmwcDFWaQ0M5h2dcVjczN5i9eF6EALYetw7 +le9yemPRiE5n1FlTI46vihBcB0= -----END CERTIFICATE----- kl. 20:24:54 UTC+1 torsdag 7. november 2013 skrev Brian Carlstrom følgende: > > openssl s_client -connect insert.correct.domain.here:443 -showcerts > should let you capture the PEM of the certs in the chain, not just > their name. > > does the site work in the Android browser? Could it be untrusted > because the hostname doesn't match the cert, not because of the > certificate chain? > > -bri > > > On Thu, Nov 7, 2013 at 11:20 AM, Sondre Mære Overskaug > <[email protected] <javascript:>> wrote: > > Hi Brian, thanks for the reply. > > > > I did not type the domain since it is not reachable from the outside > anyways. It is in a private enterprise network. Regarding Android versjon i > use api level 15, which is Android 4.1.x. Is there some more information i > can produce to be able to verify your theory? > > > > Vennlig hilsen > > Sondre Mære Overskaug > > Systemansvarlig, Corporate Mobile > > Self Service Corporate > > > > [email protected] <javascript:> > > M +47 451 86 579 > > > >> Den 7. nov. 2013 kl. 20:01 skrev Brian Carlstrom > >> <[email protected]<javascript:>>: > > >> > >> What version of Android? I believe older versions of Android (perhaps > >> 2.3 and earlier?) where sensitive that the CA bytes match, not just > >> the CA public key. Some CAs have been reissued the CA certs which can > >> be a problem. One of the old verisign ones as like this. > >> > >> if you would tell me the server name, I could verify this is the > >> issue. But since you think that keeping your server name secret has > >> anything to do with the security of the server, I can't help you > >> further. > >> > >> -bri > >> > >> On Sat, Nov 2, 2013 at 5:23 AM, Sondre Mære Overskaug > >> <[email protected] <javascript:>> wrote: > >>> Hi! > >>> > >>> I am currently developing a hybrid Android-app using the WebView > component. > >>> I am struggling with a SSL-certificate on my domain hosting the > >>> webapp/webpage. > >>> > >>> I am getting a SslError.SSL_UNTRUSTED exception when trying to open > the > >>> webapp in my WebView. > >>> The cerfiticate which triggers the exception is (I have removed the > actual > >>> domain from the chain for security reasons): > >>> > >>> Certificate: Issued to: CN=insert.correct.domain.here,OU=Terms of use > at > >>> www.verisign.com/rpa (c)05,O=EVRY AS,L=Oslo,ST=Norway,C=NO; > >>> Issued by: CN=VeriSign Class 3 International Server CA - > G3,OU=Terms > >>> of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust > >>> Network,O=VeriSign\, Inc.,C=US; > >>> > >>> Here is the certificate chain from my domain: > >>> > >>> Certificate chain > >>> 0 s:/C=NO/ST=Norway/L=Oslo/O=EVRY AS/OU=Terms of use at > >>> www.verisign.com/rpa (c)05/CN=insert.correct.domain.here > >>> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use > at > >>> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International > Server > >>> CA - G3 > >>> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 > VeriSign, > >>> Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary > >>> Certification Authority - G5 > >>> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification > >>> Authority > >>> > >>> I have scoured the web, and finally found a reply from a google > employee > >>> stating that these root certificates from VeriSign are supported by > Android. > >>> > >>> 524d9b43.0: Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust > >>> Network, OU=(c) 2008 VeriSign, Inc. - For authorized use only, > CN=VeriSign > >>> Universal Root Certification Authority > >>> 5e4e69e7.0: Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust > >>> Network, OU=(c) 2007 VeriSign, Inc. - For authorized use only, > CN=VeriSign > >>> Class 3 Public Primary Certification Authority - G4 > >>> 72fa7371.0: Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public > >>> Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For > >>> authorized use only, OU=VeriSign Trust Network > >>> 7651b327.0: Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public > >>> Primary Certification Authority > >>> 7d453d8f.0: Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust > >>> Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, > CN=VeriSign > >>> Class 3 Public Primary Certification Authority - G3 > >>> c527e4ab.0: Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust > >>> Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, > CN=VeriSign > >>> Class 4 Public Primary Certification Authority - G3 > >>> ed049835.0: Subject: C=US, O=VeriSign, Inc., OU=Class 4 Public > >>> Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For > >>> authorized use only, OU=VeriSign Trust Network > >>> facacbc6.0: Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust > >>> Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, > CN=VeriSign > >>> Class 3 Public Primary Certification Authority - G5 > >>> > >>> As far as I can see (I am no certificate expert), there should be no > problem > >>> with our certificate chain? > >>> > >>> -- > >>> You received this message because you are subscribed to the Google > Groups > >>> "Android Security Discussions" group. > >>> To unsubscribe from this group and stop receiving emails from it, send > an > >>> email to > >>> [email protected]<javascript:>. > > >>> To post to this group, send email to > >>> [email protected] <javascript:>. > >>> Visit this group at > http://groups.google.com/group/android-security-discuss. > >>> For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
