Re: a problem connecting to a specific Site ...

[Jakob Bohm via openssl-users <openssl-users@xxxxxxxxxxx>]

On 03/11/2018 08:56, Walter H. wrote:
> Hello,
>
> it is a little bitte weird/strange/complicated;
>
> On 02.11.2018 23:05, Matt Caswell wrote:
> > On 02/11/2018 21:51, Walter H. wrote:
> > > Hello,
> > >
> > > when I try to connect tohttps://www.3bg.at/
> > > I get the following error
> > >
> > > Handshake with SSL server failed: error:1408E0F4:SSL
> > > routines:SSL3_GET_MESSAGE:unexpected message
> > >
> > > but
> > > https://www.ssllabs.com/ssltest/analyze.html?d=www.3bg.at
> > > says its ok ...
> > >
> > > is the problem on my side or on their side?
> > You'll need to give us more information. I can connect to that server
> > using OpenSSL 1.0.2 s_client.
> >
> > What version of OpenSSL are you using? Is this with your own application
> > or from s_client? What ciphersuites have you configured? Any other
> > relevant configuration that we should know about?
> the mentioned error comes with squid - ssl-bump on;
> in case I switch it off and have it as normal proxy, then is really 
> suspisious:
> - an old Firefox (17.0.11esr) has no problems, the Sites is shown and 
> works
>
> - an older Google Chrome (the last one f. WinXP, v46) gives:
>                       SSL connection error
>                       ERR_SSL_PROTOCOL_ERROR
>
> - a fork of the latest Pale Moon (Mypal) and an old Palemoon itself 
> (the last one f. WinXP) gives:
>                     An error occurred during a connection to www.3bg.at.
>                     Peer’s certificate has an invalid signature.
>                     (Error code: SEC_ERROR_BAD_SIGNATURE)
>
> what is this strange?
>
> but what does this mean at the mentioned SSLlabs result:
>
> Certificate Transparency No
>
> when I compare to any other site (e.g. my own with Let's encrypt 
> certificate),
> I get
>
> Certificate Transparency *Yes (certificate)*
>
> is this caused on my side or on the other side?
Certificate Transparency means that the CA that issued the certificate
also published it using a Google-promoted protocol to provide
"Transparency" for the certificate issuing industry, at the cost of
customer privacy.

Chrome Browser now (or soon) punishes websites that whose certificate
was not published that way, making it a relevant test for web server
operators wanting to check that everything will work in all browsers.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users