Re: “Secure Connection Failed” Error in Firefox

2024-03-03 Thread Jeffrey Walton 
On Sun, Mar 3, 2024 at 2:02 PM Jeffrey Walton  wrote:
>
> On Sun, Mar 3, 2024 at 1:47 PM Marcelo Laia  wrote:
> >
> > Hello Debian users!
> >
> > When accessing the website https://gontijoonibus.gontijo.com.br/ on Firefox 
> > Android (on my smartphone), the site is accessed normally. However, when 
> > attempting to access this site on the desktop, Debian Firefox-ESR version 
> > 115.8.0esr (64-bit), the following error occurs:
> >
> > Secure Connection Failed
> > An error occurred during a connection to gontijoonibus.gontijo.com.br.
> > The page you are trying to view cannot be displayed because the 
> > authenticity of the received data could not be verified.
> > Please contact the website owners to inform them of this problem.
>
> According to OpenSSL and the default CA list on Ubuntu 22.04, the
> connection looks Ok. The problem appears to be more than a simple
> problem connecting.
>
> If I had to hazard a guess, I would start with the wildcard in the
> Common Name (CN) shown below. I know the CA/Browser Baseline
> Requirements changed recently, and CN is now a SHOULD NOT. Wildcards
> have been frowned upon but not forbidden. Maybe the browsers are
> moving against wildcards in the CN now.
>
> Note: tooling, like cURL, OpenSSL and Wget follow the IETF's Internet
> PKI (PKIX). Browsers follow the CA/Browsers Baseline Requirements (Web
> PKI). They mostly overlap, but they have a fair amount of differences
> once you accumulate some knowledge about them.
>
> And the IETF lawyers wrote a nasty letter to the W3C a couple of years
> ago because the W3C was publishing incompatible standards. See
> .
> And from my observations, the CA/Browser Forums have been doing the
> same thing. So I would not be surprised if there's an incompatible
> change between PKIX and Web PKI.
>
> 
> $ echo -e 'GET / HTTP/1.1\r\n\r\n' | openssl s_client -connect
> gontijoonibus.gontijo.com.br:443 -servername
> gontijoonibus.gontijo.com.br
> CONNECTED(0003)
> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> Global Root G2
> verify return:1
> depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte
> TLS RSA CA G1
> verify return:1
> depth=0 CN = *.gontijo.com.br
> verify return:1
> ---
> Certificate chain
>  0 s:CN = *.gontijo.com.br
>i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA 
> G1
>a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
>v:NotBefore: May  9 00:00:00 2023 GMT; NotAfter: May  8 23:59:59 2024 GMT
>  1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA 
> G1
>i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> Global Root G2
>a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
>v:NotBefore: Nov  2 12:24:25 2017 GMT; NotAfter: Nov  2 12:24:25 2027 GMT
>  2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> Global Root G2
>i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> Global Root G2
>a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
>v:NotBefore: Aug  1 12:00:00 2013 GMT; NotAfter: Jan 15 12:00:00 2038 GMT
> ---
> Server certificate
> -BEGIN CERTIFICATE-
> MIIGITCCBQmgAwIBAgIQB7Bs73IlM/884Dqb8/YZoTANBgkqhkiG9w0BAQsFADBe
> MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
> d3cuZGlnaWNlcnQuY29tMR0wGwYDVQQDExRUaGF3dGUgVExTIFJTQSBDQSBHMTAe
> Fw0yMzA1MDkwMDAwMDBaFw0yNDA1MDgyMzU5NTlaMBsxGTAXBgNVBAMMECouZ29u
> dGlqby5jb20uYnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNoYUM
> EjKsU7gHu5iZpkwZkwJGyMe1l5d1+YVUJLkB23vxGXxSRoYVOqhPR/sbvyue0FFA
> OwbKriu+XjXA/dCOC6hEX9UbvHK9i5YFaPbJIDkwZKuA3SltFSyJsuRNP7dpYEkY
> uxZ4pcLBtEAh9+im1g5l4ubrFDrxdr5Wvjne6viDyZ+40Alc+i1pirlymsD7k6tH
> 4bLaR+qopr6YqufzOkWlcodNbCnQ3TF1ZOVppwJDYvWaROQ8WcUC5c3v4TDYcXrq
> YasWMtN2GL+UwQL4Gc/q9slkpG1ML8lX50CwxhGAngjz8PdNq9ql+kHa9XfTx+5G
> DYrshriHimk9POppAgMBAAGjggMcMIIDGDAfBgNVHSMEGDAWgBSljP4yzOsPLNQZ
> xgi4ACSIXcPFtzAdBgNVHQ4EFgQUOgqjT5nVOc1VYZ8vm/Y80TI7UIEwKwYDVR0R
> BCQwIoIQKi5nb250aWpvLmNvbS5icoIOZ29udGlqby5jb20uYnIwDgYDVR0PAQH/
> BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA7BgNVHR8ENDAy
> MDCgLqAshipodHRwOi8vY2RwLnRoYXd0ZS5jb20vVGhhd3RlVExTUlNBQ0FHMS5j
> cmwwPgYDVR0gBDcwNTAzBgZngQwBAgEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3
> dy5kaWdpY2VydC5jb20vQ1BTMHAGCCsGAQUFBwEBBGQwYjAkBggrBgEFBQcwAYYY
> aHR0cDovL3N0YXR1cy50aGF3dGUuY29tMDoGCCsGAQUFBzAChi5odHRwOi8vY2Fj
> ZXJ0cy50aGF3dGUuY29tL1RoYXd0ZVRMU1JTQUNBRzEuY3J0MAkGA1UdEwQCMAAw
> ggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB2AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8
> vOzew1FIWUZxH7WbAAABiABkUyYAAAQDAEcwRQIgfzcKflXhHpmu5GHg8S048cs8
> vpP1gxpdWDsSoIW7iBICIQDMDeAMb6rf8XcdLAxVXeScb4DE6WI73WrxLuhijv7O
> +gB2AEiw42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABiABkUyUAAAQD
> AEcwRQIgP46qqZOnzi6Zp+F30GBTHY5LpCR9uL55MFTS+XnRsv0CIQDTC52xy9Gl
> xzzDqltvAGVq10MgnLY9rIvZMccRsEVgEAB2ANq2v2s/tbYin5vCu1xr6HCRcWy7
>

Re: “Secure Connection Failed” Error in Firefox

2024-03-03 Thread Jeffrey Walton 
On Sun, Mar 3, 2024 at 1:47 PM Marcelo Laia  wrote:
>
> Hello Debian users!
>
> When accessing the website https://gontijoonibus.gontijo.com.br/ on Firefox 
> Android (on my smartphone), the site is accessed normally. However, when 
> attempting to access this site on the desktop, Debian Firefox-ESR version 
> 115.8.0esr (64-bit), the following error occurs:
>
> Secure Connection Failed
> An error occurred during a connection to gontijoonibus.gontijo.com.br.
> The page you are trying to view cannot be displayed because the authenticity 
> of the received data could not be verified.
> Please contact the website owners to inform them of this problem.

According to OpenSSL and the default CA list on Ubuntu 22.04, the
connection looks Ok. The problem appears to be more than a simple
problem connecting.

If I had to hazard a guess, I would start with the wildcard in the
Common Name (CN) shown below. I know the CA/Browser Baseline
Requirements changed recently, and CN is now a SHOULD NOT. Wildcards
have been frowned upon but not forbidden. Maybe the browsers are
moving against wildcards in the CN now.

Note: tooling, like cURL, OpenSSL and Wget follow the IETF's Internet
PKI (PKIX). Browsers follow the CA/Browsers Baseline Requirements (Web
PKI). They mostly overlap, but they have a fair amount of differences
once you accumulate some knowledge about them.

And the IETF lawyers wrote a nasty letter to the W3C a couple of years
ago because the W3C was publishing incompatible standards. See
.
And from my observations, the CA/Browser Forums have been doing the
same thing. So I would not be surprised if there's an incompatible
change between PKIX and Web PKI.


$ echo -e 'GET / HTTP/1.1\r\n\r\n' | openssl s_client -connect
gontijoonibus.gontijo.com.br:443 -servername
gontijoonibus.gontijo.com.br
CONNECTED(0003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte
TLS RSA CA G1
verify return:1
depth=0 CN = *.gontijo.com.br
verify return:1
---
Certificate chain
 0 s:CN = *.gontijo.com.br
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May  9 00:00:00 2023 GMT; NotAfter: May  8 23:59:59 2024 GMT
 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov  2 12:24:25 2017 GMT; NotAfter: Nov  2 12:24:25 2027 GMT
 2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root G2
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug  1 12:00:00 2013 GMT; NotAfter: Jan 15 12:00:00 2038 GMT
---
Server certificate
-BEGIN CERTIFICATE-
MIIGITCCBQmgAwIBAgIQB7Bs73IlM/884Dqb8/YZoTANBgkqhkiG9w0BAQsFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMR0wGwYDVQQDExRUaGF3dGUgVExTIFJTQSBDQSBHMTAe
Fw0yMzA1MDkwMDAwMDBaFw0yNDA1MDgyMzU5NTlaMBsxGTAXBgNVBAMMECouZ29u
dGlqby5jb20uYnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNoYUM
EjKsU7gHu5iZpkwZkwJGyMe1l5d1+YVUJLkB23vxGXxSRoYVOqhPR/sbvyue0FFA
OwbKriu+XjXA/dCOC6hEX9UbvHK9i5YFaPbJIDkwZKuA3SltFSyJsuRNP7dpYEkY
uxZ4pcLBtEAh9+im1g5l4ubrFDrxdr5Wvjne6viDyZ+40Alc+i1pirlymsD7k6tH
4bLaR+qopr6YqufzOkWlcodNbCnQ3TF1ZOVppwJDYvWaROQ8WcUC5c3v4TDYcXrq
YasWMtN2GL+UwQL4Gc/q9slkpG1ML8lX50CwxhGAngjz8PdNq9ql+kHa9XfTx+5G
DYrshriHimk9POppAgMBAAGjggMcMIIDGDAfBgNVHSMEGDAWgBSljP4yzOsPLNQZ
xgi4ACSIXcPFtzAdBgNVHQ4EFgQUOgqjT5nVOc1VYZ8vm/Y80TI7UIEwKwYDVR0R
BCQwIoIQKi5nb250aWpvLmNvbS5icoIOZ29udGlqby5jb20uYnIwDgYDVR0PAQH/
BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA7BgNVHR8ENDAy
MDCgLqAshipodHRwOi8vY2RwLnRoYXd0ZS5jb20vVGhhd3RlVExTUlNBQ0FHMS5j
cmwwPgYDVR0gBDcwNTAzBgZngQwBAgEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3
dy5kaWdpY2VydC5jb20vQ1BTMHAGCCsGAQUFBwEBBGQwYjAkBggrBgEFBQcwAYYY
aHR0cDovL3N0YXR1cy50aGF3dGUuY29tMDoGCCsGAQUFBzAChi5odHRwOi8vY2Fj
ZXJ0cy50aGF3dGUuY29tL1RoYXd0ZVRMU1JTQUNBRzEuY3J0MAkGA1UdEwQCMAAw
ggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB2AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8
vOzew1FIWUZxH7WbAAABiABkUyYAAAQDAEcwRQIgfzcKflXhHpmu5GHg8S048cs8
vpP1gxpdWDsSoIW7iBICIQDMDeAMb6rf8XcdLAxVXeScb4DE6WI73WrxLuhijv7O
+gB2AEiw42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABiABkUyUAAAQD
AEcwRQIgP46qqZOnzi6Zp+F30GBTHY5LpCR9uL55MFTS+XnRsv0CIQDTC52xy9Gl
xzzDqltvAGVq10MgnLY9rIvZMccRsEVgEAB2ANq2v2s/tbYin5vCu1xr6HCRcWy7
UYSFNL2kPTBI1/urAAABiABkUvIAAAQDAEcwRQIgAtm8xShzPd6lmxA4dGyZzQKa
U6fmBbCDIkyqNnKgOtoCIQCx5g1X5GBvuqkBlQHIYeWQ4UB1tNEtYYN/z3D293Lf
LTANBgkqhkiG9w0BAQsFAAOCAQEARpS7/BX4uVMvOMGfTo92uZNMozhWJzE+5o+k
ARsyf8FPmTNjHs+Z6A+DWTQ/4AAJ+cRv9LJzHpXw4X/o3u6VF5+rma20q7eLupxg

Re: “Secure Connection Failed” Error in Firefox

2024-03-03 Thread Dan Ritter 
Marcelo Laia wrote: 
> Hello Debian users!
> 
> When accessing the website https://gontijoonibus.gontijo.com.br/ on Firefox 
> Android (on my smartphone), the site is accessed normally. However, when 
> attempting to access this site on the desktop, Debian Firefox-ESR version 
> 115.8.0esr (64-bit), the following error occurs:
>

https://www.ssllabs.com/ssltest/analyze.html?d=gontijoonibus.gontijo.com.br

shows that there are several IP addresses that could be serving
this, but only 206.41.74.19 seems to be responsive.

And then it doesn't serve any content.

I would say that there are deep problems going on, which have
nothing to do with the client and everything to do with the
server.

-dsr-

Re: “Secure Connection Failed” Error in Firefox

2024-03-03 Thread Brad Rogers 
On Sun, 3 Mar 2024 12:26:20 -0300
Marcelo Laia  wrote:

Hello Marcelo,

>website https://gontijoonibus.gontijo.com.br/ on 

I get the same results as Greg - in several browsers.

-- 
 Regards  _   "Valid sig separator is {dash}{dash}{space}"
 / )  "The blindingly obvious is never immediately apparent"
/ _)rad   "Is it only me that has a working delete key?"
I hope I live to relive the days gone by
Old Before I Die - Robbie Williams


pgpuwr_glqCXn.pgp
Description: OpenPGP digital signature

Re: “Secure Connection Failed” Error in Firefox

2024-03-03 Thread Greg Wooledge 
On Sun, Mar 03, 2024 at 12:26:20PM -0300, Marcelo Laia wrote:
> When accessing the website https://gontijoonibus.gontijo.com.br/ on Firefox 
> Android (on my smartphone), the site is accessed normally. However, when 
> attempting to access this site on the desktop, Debian Firefox-ESR version 
> 115.8.0esr (64-bit), the following error occurs:
> 
> 
> Secure Connection Failed
> An error occurred during a connection to gontijoonibus.gontijo.com.br.
> The page you are trying to view cannot be displayed because the authenticity 
> of the received data could not be verified.
> Please contact the website owners to inform them of this problem.
> 
> Learn more…

For the record, Google Chrome gives:

This site can’t be reached

The webpage at https://gontijoonibus.gontijo.com.br/ might be temporarily
down or it may have moved permanently to a new web address.

ERR_HTTP2_PROTOCOL_ERROR

“Secure Connection Failed” Error in Firefox

2024-03-03 Thread Marcelo Laia 

Hello Debian users!

When accessing the website https://gontijoonibus.gontijo.com.br/ on Firefox 
Android (on my smartphone), the site is accessed normally. However, when 
attempting to access this site on the desktop, Debian Firefox-ESR version 
115.8.0esr (64-bit), the following error occurs:


Secure Connection Failed
An error occurred during a connection to gontijoonibus.gontijo.com.br.
The page you are trying to view cannot be displayed because the authenticity of 
the received data could not be verified.
Please contact the website owners to inform them of this problem.

Learn more…


I have already changed the minimum accepted TLS protocol value from 3 to 1 in 
about:config, but this did not resolve the issue.

I have also deleted the ~/.mozilla folder and it was recreated, but without 
success.

How can I solve this problem?

Thank you so much!

--
Marcelo