Jump to content

Welcome! You're currently a Guest.

If you'd like to join in the Discussion, or access additional features in our forums, please sign in with your Evernote Account here. Have an Evernote Account but forgot your password? Reset it! Don't have an account yet? Create One! You'll need to set your Display Name before your first post.

Photo
Web

Untrusted SSL Certificate on https://evernote.com

security authentication evernote

  • Please log in to reply
3 replies to this topic

#1 s3rac

s3rac

  • Pip
  • Title: Member
  • Group: Members
  • 3 posts

Posted 20 June 2012 - 05:05 PM

It appears that https://evernote.com is triggering browser certificate trust warnings due to presentation of an incomplete certificate chain:


marvin:~$ openssl s_client -showcerts -tls1 -connect evernote.com:443
CONNECTED(00000003)
depth=0 C = US, ST = California, L = Mountainv View, O = "Evernote, Corp.", OU = Terms of use at www.verisign.com/rpa ©05, CN = evernote.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Mountainv View, O = "Evernote, Corp.", OU = Terms of use at www.verisign.com/rpa ©05, CN = evernote.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = California, L = Mountainv View, O = "Evernote, Corp.", OU = Terms of use at www.verisign.com/rpa ©05, CN = evernote.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountainv View/O=Evernote, Corp./OU=Terms of use at www.verisign.com/rpa ©05/CN=evernote.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa ©10/CN=VeriSign Class 3 Secure Server CA - G3
-----BEGIN CERTIFICATE-----
MIIFtTCCBJ2gAwIBAgIQZ4F8zoBL2kBNdv18FUFKNzANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTIwNDI3
MDAwMDAwWhcNMTgwNDI4MjM1OTU5WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExFzAVBgNVBAcUDk1vdW50YWludiBWaWV3MRgwFgYDVQQKFA9F
dmVybm90ZSwgQ29ycC4xMzAxBgNVBAsUKlRlcm1zIG9mIHVzZSBhdCB3d3cudmVy
aXNpZ24uY29tL3JwYSAoYykwNTEVMBMGA1UEAxQMZXZlcm5vdGUuY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvMNo3MAtbyGBdFJf2IaSYi6GKLc2
VfJ/v6O4c86fORKz2LTP7ssaiPBZAI0JAorAHmKVR25PswYaBL1WGjbQaGzKo2Xl
cfdWIp8/AB0N3/3e1Icu9/uYXO8uFnURoodes0C0PVp/WLKDOzipKY2sToTGJqgF
IUvVOCoF8nKFA1sihePmFeo4m8ndS+vkROyurxpaDf/u15A0QzeADP7WoNpnKqKV
HbsjFcLsGgjzQfUUQ+TgvlBLfa/fwoS6vQkzsNoj4fiNDI/xb80Gh1jD7oQ5+R+d
K479fxoYDl+hqBRR3SDXBIKihYosJdYh5dj/4FSTMgrtNlGcW8Bv4qRi1QIDAQAB
o4IB0TCCAc0wCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRQYDVR0fBD4wPDA6oDig
NoY0aHR0cDovL1NWUlNlY3VyZS1HMy1jcmwudmVyaXNpZ24uY29tL1NWUlNlY3Vy
ZUczLmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEW
HGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFA1EXBZTRMGCfh0gqyX0AWPYvnmlMHYG
CCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24u
Y29tMEAGCCsGAQUFBzAChjRodHRwOi8vU1ZSU2VjdXJlLUczLWFpYS52ZXJpc2ln
bi5jb20vU1ZSU2VjdXJlRzMuY2VyMG4GCCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYW
CWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruSiWBgy70FI4mymsSweLIQUYMCYW
JGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjANBgkqhkiG9w0B
AQUFAAOCAQEAeVm/V/CJDovv1/a78gUCrVA57B4nGM71lVgMuR9gFIAOolpBWnr5
iSlFoThf7mIEWnlXT5HU5OlUj7A6ArZFWQBBXJftrwYApkRQas9hg1n/MHt2bgjc
4hmqAVMNp5ljXzJwOL9hZ1SgA0xo0X2TqoVSW/WzX4TCEUC1Kuc3UaqVdlGpgz7f
JDt/314laXHheegJo0f8X+AU7iDIivSCG7SaoWEkMSLv2r2izVYLc9iKtscM4EQo
dtmbMpt161z9S2wH9YA1jR5X46SaZ0vWStZ8sQyreIxRnIZFxXKdw8eugK0JEUSn
U+sVZFszRIsGub+b5HY1833nN6vo76RNPA==
-----END CERTIFICATE-----
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa ©09/CN=VeriSign Class 3 Secure Server CA - G2
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=© 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
-----BEGIN CERTIFICATE-----
MIIGLDCCBZWgAwIBAgIQbk/6s8XmacTRZ8mSq+hYxDANBgkqhkiG9w0BAQUFADCB
wTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTwwOgYDVQQL
EzNDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5
IC0gRzIxOjA4BgNVBAsTMShjKSAxOTk4IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1
dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdv
cmswHhcNMDkwMzI1MDAwMDAwWhcNMTkwMzI0MjM1OTU5WjCBtTELMAkGA1UEBhMC
VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBU
cnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93
d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMmVmVyaVNpZ24gQ2xh
c3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDUVo9XOzcopkBj0pXVBXTatRlqltZxVy/iwDSMoJWzjOE3JPMu
7UNFBY6J1/raSrX4Po1Ox/lJUEU3QJ90qqBRVWHxYISJpZ6AjS+wIapFgsTPtBR/
RxUgKIKwaBLArlwH1/ZZzMtiVlxNSf8miKtUUTovStoOmOKJcrn892g8xB85essX
gfMMrQ/cYWIbEAsEHikYcV5iy0PevjG6cQIZTiapUdqMZGkD3pz9ff17Ybz8hHyI
XLTDe+1fK0YS8f0AAZqLW+mjBS6PLlve8xt4+GaRCMBeztWwNsrUqHugffkwer/4
3RlRKyC6/qfPoU6wZ/WAqiuDLtKOVImOHikLAgMBAAGjggKpMIICpTA0BggrBgEF
BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTAS
BgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4RQEHFwMwVjAo
BggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAqBggrBgEF
BQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQGA1UdHwQtMCsw
KaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzIuY3JsMA4GA1Ud
DwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYw
ITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9n
by52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjApBgNVHREEIjAgpB4wHDEaMBgGA1UE
AxMRQ2xhc3MzQ0EyMDQ4LTEtNTIwHQYDVR0OBBYEFKXvCxHOwEEDo0plkEiyHOBX
LX1HMIHnBgNVHSMEgd8wgdyhgcekgcQwgcExCzAJBgNVBAYTAlVTMRcwFQYDVQQK
Ew5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMgUHJpbWFy
eSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEoYykgMTk5
OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYD
VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrghB92f4Hz6getxB5Z/uniTTGMA0G
CSqGSIb3DQEBBQUAA4GBAGN0Lz1Tqi+X7CYRZhr+8d5BJxnSf9jBHPniOFY6H5Cu
OcUgdav4bC1nHynCIdcUiGNLsJsnY5H48KMBJLb7j+M9AgtvVP7UzNvWhb98lR5e
YhHB2QmcQrmy1KotmDojYMyimvFu6M+O0Ro8XhnF15s1sAIjJOUFuNWI4+D6ufRf
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountainv View/O=Evernote, Corp./OU=Terms of use at www.verisign.com/rpa ©05/CN=evernote.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa ©10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 3202 bytes and written 540 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: 4FE2020EFC43F125914B444D6273E0855E54780B2E5FC5C774EA0E7444D8B524
Session-ID-ctx:
Master-Key: 13A9D0DEAC347E8BC987FAFE7DFB555B7A1FDF9FF51BC3C9A1C243D2971295AF958E6579FB269C0E13D673D7FFC4A0BF
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1340211726
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
---

Note in the output above that there is no entry in the certificate chain for "Class 3 Public Primary Certification Authority - G2," which I believe is the problem. I believe that PKIX validation routines require the root self-signed certificate to be at the end of the chain, and in light of that requirement, the absence would explain the trust error I observed.

#2 s3rac

s3rac

  • Pip
  • Title: Member
  • Group: Members
  • 3 posts

Posted 20 June 2012 - 05:17 PM

I believe this may be a transient problem. I closed my browser to clear the SSL warning selection that I clicked through initially with the intention to get a screen shot to attach to this post. Now the cert appears trusted and the cert chain looks well-formed according to Google Chrome. I should also note that when I encountered this problem initially Chrome only showed the head cert, unlike the OpenSSL output that showed a chain of two certs. I'm wondering if the apparent certificate configuration problem is only affecting some of the hosts in the pool.

#3 Krellan

Krellan

  • PipPip
  • Title: Alliance Lackey
  • Group: Members
  • 54 posts

Posted 21 June 2012 - 05:26 AM

A similar certificate problem happened to me.

I wasn't consistent in how I accessed the site:

https://evernote.com/

https://www.evernote.com/

To you and me, both links above are the same site, but the certificate doesn't know that, and so they're counted as two separate sites.

Evernote fixed this bug a while ago, which is good. I wonder if this new certificate problem could be related, though? It still works fine for me, though, I haven't had any certificate problems in a long time.

Josh

#4 s3rac

s3rac

  • Pip
  • Title: Member
  • Group: Members
  • 3 posts

Posted 21 June 2012 - 02:22 PM

The problem I observed is a certificate trust problem due to improper chain construction, while the problem you observed is a hostname mismatch. (By convention most browsers require the DNS name of a site to match the CN of the certificate subjectDN or subjectAltName fields.) The two problems are related in that they are both common SSL configuration problems, but in technical terms they have fairly different causes.





Also tagged with one or more of these keywords: web, security, authentication, evernote

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Clip to Evernote