- removed comment
ssl certificate for www.cactuscode.org does not match common name
Frank's checker at:
https://www.cct.lsu.edu/~knarf/cgi-bin/monitor.cgi
reports a wrong common name in the certificate for www.cactuscode.org which is confirmed by
https://www.sslshopper.com/ssl-checker.html?host=www.cactuscode.org#hostname=www.cactuscode.org
this makes connecting to www.cactuscode.org using ssl impossible (or at least one needs to grant a security exception).
Only minor b/c right now www.cactuscode.org seems to not use ssl anyway (though it should do so at least for the login to drupal).
Keyword: www.cactuscode.org
Comments (7)
-
-
- changed status to resolved
- removed comment
-
reporter - changed status to open
- removed comment
Now there are two non matching ones in https://www.cct.lsu.edu/~knarf/cgi-bin/monitor.cgi:
- einsteintoolkit.org wrong common name in certificate
- www.cactuscode.org wrong common name in certificate
-
reporter - removed comment
This is still happening for cactuscode.org. Maybe this could be fixed while taking care of https://trac.einsteintoolkit.org/ticket/2145 ?
-
- removed comment
I thought I'd cleared this long ago, and I don't see any problem. Both https://www.cactuscode.org and https://cactuscode.org both work for me.
-
reporter - removed comment
It works for me as well. Yet the monitor script referenced above (https://www.cct.lsu.edu/~knarf/cgi-bin/monitor.cgi) complains. ssl checker (https://www.sslshopper.com/ssl-checker.html#hostname=https://www.cactuscode.org/) notes that a SHA1 signature is used which is somewhat unsafe these days.
The wrong common name might be reported by gnutls-cli (but not openssl) https://outflux.net/blog/archives/2010/03/10/openssl-client-does-not-check-commonname/ which also seems to indicate that openssl is doing the "right thing".
Note that the version of gnutls-cli on my Linux box (3.5.18) does not produce the warning.
So it seems we should
- close this ticket as "worksforme"
- check the cgi script and update the gnutls-cli version it uses
-
reporter - edited description
- changed status to wontfix
The SSL certs are ok, Frank's checking script uses a version of gnutls that complains about things that are explicitly allowed and wants things that are explicitly not liked.
- Log in to comment
Actually, the problem is worse than that. Cactuscode.org has become einsteintoolkit.org. Let me look into this.