I think this is fixed for www.torproject.org now. Digicert apparently updated their ca chained certs at some point. I've put the updated ca-certs on the www servers. If this works, we can update them on all torproject servers.
And for fun, I've attached the gnutls-cli output of the old cert in place and the new cert in place. tl;dr we went from: our cert -> DigiCert High Assurance CA-3 to now: cert -> DigiCert High Assurance CA-3 -> DigiCert High Assurance EV Root CA I couldn't replicate the problem in Chromium, FF9, nor whatever version of android i have on an obsolete phone. -- Andrew http://tpo.is/contact pgp 0x74ED336B
gnutls-cli www.torproject.org Resolving 'www.torproject.org'... Connecting to '38.229.72.14:443'... - Session ID: 57:5F:06:07:51:0A:04:4E:4E:27:EC:7F:FB:E3:FF:3C:CA:8D:A2:93:43:92:4B:09:20:34:64:B7:01:59:D8:FE - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `C=US,ST=Massachusetts,L=Walpole,O=The Tor Project\, Inc.,CN=*.torproject.org', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3', RSA key 2048 bits, signed using RSA-SHA256, activated `2011-02-15 00:00:00 UTC', expires `2013-04-19 23:59:59 UTC', SHA-1 fingerprint `a7e70f8a648fe04a9677f13eedf6f91b5f7f2e25' - Certificate[1] info: - subject `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2007-04-03 00:00:00 UTC', expires `2022-04-03 00:00:00 UTC', SHA-1 fingerprint `a2e32a1a2e9fab6ead6b05f64ea0641339e10011' - Certificate[2] info: - subject `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA', issuer `C=US,O=Entrust.net,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Secure Server Certification Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2006-10-01 05:00:00 UTC', expires `2014-07-26 18:15:15 UTC', SHA-1 fingerprint `918da5e499c15f7c6275b124fede53357c34bd36' - The hostname in the certificate matches 'www.torproject.org'. - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Ephemeral Diffie-Hellman parameters - Using prime: 1024 bits - Secret key: 1016 bits - Peer's public key: 1019 bits - Version: TLS1.0 - Key Exchange: DHE-RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed
gnutls-cli www.torproject.org Resolving 'www.torproject.org'... Connecting to '38.229.72.14:443'... - Session ID: FE:5A:D0:67:F9:7C:2D:03:E8:F0:E2:35:38:2D:F4:D0:D9:32:F7:95:B1:D6:E6:2F:78:F2:2B:D8:64:EB:2E:D1 - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `C=US,ST=Massachusetts,L=Walpole,O=The Tor Project\, Inc.,CN=*.torproject.org', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3', RSA key 2048 bits, signed using RSA-SHA256, activated `2011-02-15 00:00:00 UTC', expires `2013-04-19 23:59:59 UTC', SHA-1 fingerprint `a7e70f8a648fe04a9677f13eedf6f91b5f7f2e25' - Certificate[1] info: - subject `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2007-04-03 00:00:00 UTC', expires `2022-04-03 00:00:00 UTC', SHA-1 fingerprint `a2e32a1a2e9fab6ead6b05f64ea0641339e10011' - The hostname in the certificate matches 'www.torproject.org'. - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Ephemeral Diffie-Hellman parameters - Using prime: 1024 bits - Secret key: 1023 bits - Peer's public key: 1019 bits - Version: TLS1.0 - Key Exchange: DHE-RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed
_______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk