CODEWITHSUNDEEP
sslhttpsssl-certificate
libertaire
libertaire

Reputation: 855

ssl errors in google chrome ... no public key?

i just noticed that my website is getting SSL errors when browsing with google chrome.

It says something about the encryption being outdated and that i don't have a public key

How to fix this?

I use PositiveSSL from Comodo

https://www.ni-dieu-ni-maitre.com/

Upvotes: 0

Views: 559

Answers (2)

Steffen Ullrich
Steffen Ullrich

Reputation: 123571

It says something about the encryption being outdated and that i don't have a public key

It does not say anything about public key, but about "no public audit records". This only means that you just got one of the cheap certificates which only gets verified by e-mail or similar. But there are several other problems:

  • The certificate is signed with SHA-1 but is valid until 2019, which is far after the deprecation time for SHA-1. Therefore you get "outdated security settings". Contact you certificate vendor to get an updated certificate.
  • The site does only TLS 1.0 and supports even SSL 3.0 and does also not support the GCM ciphers introduced with TLS 1.2. Thus you get the "obsolete cryptography". Fix your webserver, you probably need to upgrade the software to support TLS 1.2 and afterwards update some settings to disable SSL 3.0. As a side effect you get access to the ECDHE and GCM ciphers which are faster than the ciphers you are currently using.

For more information have a look at http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.html

Upvotes: 1

uraimo
uraimo

Reputation: 19851

Test it with this: https://www.ssllabs.com/ssltest/analyze.html?d=ni-dieu-ni-maitre.com&latest

There are multiple issues, the more important being the fact that your server is vulnerable to the PODDLE attach (SSLv3 is enabled), other than this the problem you see is caused by the use of a SHA-1 signature that is now deprecated, it should be replaced with a SHA-256 signature or something else.

From Chrome:

The connection uses TLS 1.0.

The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and DHE_RSA as the key exchange mechanism.

It looks like that they could be freely re-issuing these certificates, check this and their certificate configuration page.

Upvotes: 1

Related Questions