Modify

Opened 7 months ago

Last modified 4 months ago

#2137 reopened defect

ssl certificate for www.cactuscode.org does not match common name

Reported by: Roland Haas Owned by:
Priority: minor Milestone:
Component: EinsteinToolkit website Version: development version
Keywords: www.cactuscode.org Cc:

Description

Frank's checker at:

https://www.cct.lsu.edu/~knarf/cgi-bin/monitor.cgi

reports a wrong common name in the certificate for www.cactuscode.org which is confirmed by

https://www.sslshopper.com/ssl-checker.html?host=www.cactuscode.org#hostname=www.cactuscode.org

this makes connecting to www.cactuscode.org using ssl impossible (or at least one needs to grant a security exception).

Only minor b/c right now www.cactuscode.org seems to not use ssl anyway (though it should do so at least for the login to drupal).

Attachments (0)

Change History (6)

comment:1 Changed 7 months ago by Steven R. Brandt

Actually, the problem is worse than that. Cactuscode.org has become einsteintoolkit.org. Let me look into this.

comment:2 Changed 7 months ago by Steven R. Brandt

Resolution: fixed
Status: newclosed

comment:3 Changed 7 months ago by Roland Haas

Resolution: fixed
Status: closedreopened

Now there are two non matching ones in https://www.cct.lsu.edu/~knarf/cgi-bin/monitor.cgi:

  • einsteintoolkit.org wrong common name in certificate
  • www.cactuscode.org wrong common name in certificate

comment:4 Changed 4 months ago by Roland Haas

This is still happening for cactuscode.org. Maybe this could be fixed while taking care of https://trac.einsteintoolkit.org/ticket/2145 ?

comment:5 Changed 4 months ago by Steven R. Brandt

I thought I'd cleared this long ago, and I don't see any problem. Both https://www.cactuscode.org and https://cactuscode.org both work for me.

comment:6 Changed 4 months ago by Roland Haas

It works for me as well. Yet the monitor script referenced above (​https://www.cct.lsu.edu/~knarf/cgi-bin/monitor.cgi) complains. ssl checker (https://www.sslshopper.com/ssl-checker.html#hostname=https://www.cactuscode.org/) notes that a SHA1 signature is used which is somewhat unsafe these days.

The wrong common name might be reported by gnutls-cli (but not openssl) https://outflux.net/blog/archives/2010/03/10/openssl-client-does-not-check-commonname/ which also seems to indicate that openssl is doing the "right thing".

Note that the version of gnutls-cli on my Linux box (3.5.18) does not produce the warning.

So it seems we should

  1. close this ticket as "worksforme"
  2. check the cgi script and update the gnutls-cli version it uses

Modify Ticket

Change Properties
Set your email in Preferences
Action
as reopened The ticket will remain with no owner.
Next status will be 'review'.
as The resolution will be set.
to The owner will be changed from (none) to the specified user.
The owner will be changed from (none) to anonymous.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.