On 03/12/2015 07:28 AM, Dan Ritter wrote: > On Thu, Mar 12, 2015 at 12:00:59AM -0400, Bill Horne wrote: >> I've come across an odd problem with Rekonq, and I'm looking for help. >> >> I have a "real" SSL certificate for my website, billhorne.com. It >> shows, as is expected, a "padlock" icon when I go to >> https://billhorne.com/ . >> >> Except when I use Rekonq, and then the KDE browser gives me an >> "untrusted" error, saying that the root CA certificate is not >> trusted for this use. Google searches show that it's a "known" >> problem, but the only pages I found were of suggestions that there >> was a MITM attack in progress or warning against using a self-signed >> cert. >> >> I took a screen shot of the "deails" page: it's at >> https://billhorne.com/snapshot1.png . All suggestions are welcome, >> and thank you in advance. > > https://www.ssllabs.com/ssltest/analyze.html?d=billhorne.com&latest > > You probably have some certificate chain problems that Rekonq is > sensitive to.
Yes, specifically, Bill is sending a "GeoTrust Global CA" cert signed by a weak (1024-bit) EquiFax CA. He is also not sending the RapidSSL intermediate cert. So Rekonq could be upset at the broken chain or possibly the partial chain being untrustworthy. Replacing your chain with the "RapidSSL SHA256 CA - G3" cert with fingerprint 0e34141846e7423d37f20dc0ab06c9bbd843dc24 should resolve this. (Can be found here: https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO26457) > You support weak algorithms -- try: > > SSLCipherSuite ALL:!ADH:RC4:+HIGH:+MEDIUM:!LOW:!EXP:!AECDH > SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2 > SSLCompression off > > With RC4, you have some weakness, but without RC4, you'll lose a > lot of older browsers. In a year or three you can probably drop > that, too. If it's a personal website, I don't see much disadvantage to dropping these. If somebody complains they can't see it, maybe consider reenabling RC4, but if you don't need to worry about losing business from people running XP, there's no need to preemptively weaken. On sites where I'm interested in making sure friends and family can connect, this is my suite: EECDH:EDH:!MEDIUM:!LOW:!EXP:!DSS:!aNULL:!eNULL:!RC4:!3DES:!SEED:!MD5 Again, though, I'm interested in personal users who have almost certainly upgraded machines in the last 5 years, not corporate clients who may be running early-00's tech. > And when you renew the cert, you should get SHA2 instead of > SHA1. Bill's is SHA2. It's the chain that's not. _______________________________________________ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss