[LINK] More on the Uselessness of Dig Sig Certs
Kim Davies
kim at cynosure.com.au
Tue Jul 17 13:51:14 AEST 2012
Quoting Roger Clarke on Tuesday July 17, 2012:
| (1) Safari 4.1.3 displays a small box containing:
| >This certificate is not valid (host name mismatch).
| See http://www.rogerclarke.com/II/MA-120717-Safari.tiff
|
| (2) Firefox 3.0.19 displays
| >medicareaustralia.gov.au uses an invalid security certificate.
| >The certificate is only valid for www.medicareaustralia.gov.au.
| >(Error code: ssl_error_bad_cert_domain)
| [But wait a minute, that the same domain as in the URL window]
| See http://www.rogerclarke.com/II/MA-120717-Firefox.tiff
Both of these errors relate to the fact the certificate is solely for
"www.medicareaustralia.gov.au", and only that precise hostname, but
you've connected to the hostname "medicareaustralia.gov.au". The "www."
makes it a different hostname.
As for an expired signature, indeed the intermediate signature used to
sign that certificate appears to have expired last year on October 24.
It appears this blog post references the same issue: http://blog.techstacks.com/2011/10/oh-verisign-you-so-funny-another-expired-intermediate-cert.html
So, as esoteric as the errors may be, they are both valid errors.
---
Certificate chain
0 s:/C=AU/ST=ACT/L=Tuggeranong/O=Medicare Australia/OU=Australian Government/CN=www.medicareaustralia.gov.au
i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
...
1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
...
2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
kim
More information about the Link
mailing list