Re: a problem connecting to a specific Site ...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/11/2018 08:56, Walter H. wrote:
Hello,

it is a little bitte weird/strange/complicated;

On 02.11.2018 23:05, Matt Caswell wrote:
On 02/11/2018 21:51, Walter H. wrote:
Hello,

when I try to connect tohttps://www.3bg.at/
I get the following error

Handshake with SSL server failed: error:1408E0F4:SSL
routines:SSL3_GET_MESSAGE:unexpected message

but
https://www.ssllabs.com/ssltest/analyze.html?d=www.3bg.at
says its ok ...

is the problem on my side or on their side?
You'll need to give us more information. I can connect to that server
using OpenSSL 1.0.2 s_client.

What version of OpenSSL are you using? Is this with your own application
or from s_client? What ciphersuites have you configured? Any other
relevant configuration that we should know about?


the mentioned error comes with squid - ssl-bump on;
in case I switch it off and have it as normal proxy, then is really suspisious: - an old Firefox (17.0.11esr) has no problems, the Sites is shown and works

- an older Google Chrome (the last one f. WinXP, v46) gives:
                      SSL connection error
                      ERR_SSL_PROTOCOL_ERROR

- a fork of the latest Pale Moon (Mypal) and an old Palemoon itself (the last one f. WinXP) gives:
                    An error occurred during a connection to www.3bg.at.
                    Peer’s certificate has an invalid signature.
                    (Error code: SEC_ERROR_BAD_SIGNATURE)

what is this strange?

but what does this mean at the mentioned SSLlabs result:

Certificate Transparency No

when I compare to any other site (e.g. my own with Let's encrypt certificate),
I get

Certificate Transparency *Yes (certificate)*

is this caused on my side or on the other side?


Certificate Transparency means that the CA that issued the certificate
also published it using a Google-promoted protocol to provide
"Transparency" for the certificate issuing industry, at the cost of
customer privacy.

Chrome Browser now (or soon) punishes websites that whose certificate
was not published that way, making it a relevant test for web server
operators wanting to check that everything will work in all browsers.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux