Opened 10 years ago
Closed 9 years ago
#3826 closed defect (invalid)
oscam's SSL implementation doesn't serve the complete cert hierarchy
Reported by: | Znuff | Owned by: | |
---|---|---|---|
Priority: | minor | Component: | Webinterface |
Severity: | low | Keywords: | ssl, webif |
Cc: | Sensitive: | no |
Description
Revision
r9847 (and before)
Issue Description
The way oscam implements SSL is not completely correct. Even though you add all the intermediate certificates into the .pem file (along with the signature, as this is required), oscam will only serve the host certificate, disregarding the rest.
Normally this is not a big issue with desktop browsers, as they simply fetch the intermediate certificate by their own, but mobile browsers (see Chrome on Android, for example), or browsers that are more security oriented (see Tor Browser) will refuse to do that by itself.
In the attached screenshot (screenshot1.png) see how Google (as an example) serves its complete chain to Tor Browser, but oscam does not.
When the issue occurs
In mobile browsers (Chrome for Android, as an example) and security-conscious browsers (eg: Tor Browser)
How the issue is reproducable
- Get a certificate from a CA that is recognized (I personally use StartSSL and their 1-year, level 1 certificate)
- Place the certificate in oscam.pem (along with the contents of ca-bundle.pem, though you should only need sub.class1.server.ca.pem that startssl offers)
- You should be getting a green "https://" in desktop browsers, but mobile browsers will throw a warning (see screenshot2.png) together with a red "https://".
Attachments (3)
Change History (4)
by , 10 years ago
Attachment: | screenshot1.png added |
---|
by , 10 years ago
Attachment: | k1UaVT3[1].png added |
---|
sslshopper.com/ssl-checker.html is reporting the certificate to be installed correctly, but missing intermediate/chain certificate
comment:1 by , 9 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
oscam is not a webserver with full ssl implementation...
Comparision of Google's Hierarchy with Oscam's Hierarchy