Tag Archives: SSL

Comodo vs. Microsoft

As stated in the previous post, there where some issues with the Comodo Positive SSL implementation. Those where caused by the webserver supplying an incorrect certificate chain so verification failed on certain platforms, among those anything using Android as well as Firefox certificate stores.

https

A correct certificate chain shows the following certificates:

  • AddTrust External CA Root
  • COMODO RSA Certification Authority
  • COMODO RSA Domain Validation Secure Server CA
  • <your own identidy> on this website being *.dullaard.nl

However when looking at the Windows certificate store it showed the following on the two servers I tested with:

  • COMODO
  • COMODO RSA Domain Validation Secure Server CA
  • <your own identity> on this website being *.dullaard.nl

And as this is published by any service using certificates any products actually verifying the whole chain will end up with a certificate failure. What essentially needs to be done is to fix the Windows certificate store to show you the first chain and not the second, as that resolves all the issues with Android, Firefox and maybe some others as well.

Comodo supplies the right certificates on their website, but I didn’t use that approach. When looking at the chain through Firefox (running on Ubuntu 14.04) it shows the chain as it should be, it also allows you to export the certificates in the chain. Those certificates I’ve imported into the Windows certificate store. The upper one has to go into the Trusted Root Certification Authorities container, the two others have to go into the Intermediate Certification Authorities container. I then noticed that it still didn’t show properly and searching by serial number I found a certificate in the Trusted Root Certification Authorities container that I exported and then removed. Once this was done it showed up correctly and errors on both Firefox and Android are gone.

And all sites will become SSL enabled

SSL Certificate So far only some websites we run have been secured by an internal generated certificate which for everybody else caused a certificate error unless you imported the Certificate Authority that issued them somewhere. Now we’ve replaced it with a commercial certificate (wildcard version) to cover all the current websites and anything else we want to build or test in the future. Currently all sites will run with HTTPS, however it is not yet enforced, we will do this at a later stage. Both our blogs still can still start with HTTP however as soon as you go further it will go over into HTTPS, however we still need to edit some articles as they have collected hardcoded paths instead of relative paths in their content. This needs to be fixed until it will only run on HTTPS. Once that happens then if you then enter HTTP it will simply translate that to HTTPS for you.

Update (Sep 15): There where problems with Mozilla Firefox (Desktop as well as Mobile) throwing an error as well as Android (incl. Chrome browser), but these where due to a problem with the certificate chain. I did not test with others. Automatic rewrite on both eugene.dullaard.nl as well as sunny.dullaard.nl towards HTTPS is working fine. If the above doesn’t get resolved I will most likely revert that change until there is time to look at it. So with exception of the homepage everything is now SSL enabled. The homepage I didn’t do yet as it contains the cartoon that has an external source and cannot be obtained via HTTPS. This would throw alerts in certain browsers and as there is nothing special on that page, I left it as is.