Check whole chain

Question

Check whole chain

Closed this issue 10 years ago · 11 comments

and click on cert info. The leaf is SHA-2 but the intermediate is SHA-1. We should warn about that, I think?

Answer 1 · 2014-08-25T18:13:32.000Z

That's interesting. Yes, I think that's a good advanced option, but not something to default to.

Domain owners are rarely in control of the intermediate and root certs they depend on, so it would weaken the clear ask the site is hoping to make of domain owners. But I think introducing some advanced options would be good, and this would be perfect for that.

Answer 2 · 2014-08-25T20:45:04.000Z

My concern is that people will be sad when shaaaaa says "hey you will be fine when Chrome/MS change behavior" but then they won't be.

Answer 3 · 2014-08-26T05:05:16.000Z

That pressure has to be directed towards the CAs, who are already under more effective pressure from the browsers than all but the most high-profile domain owners. The primary purpose of this site is to motivate the long tail of small and intermediate sites to accelerate their cert re-issuing plans.

Answer 4 · 2014-09-01T07:28:22.000Z

@devd I haven't updated the checker to do this yet, but I did add a whole section to the site about replacing intermediates, along with some resources @jonnybarnes helped dig up.

If you'd like to help out finding more, or on nailing down precise instructions for ones we've found but don't know how to use, look at this wiki page, help fill in some gaps, and let me know on this thread or Twitter when I should do another pass at reviewing it.

Answer 5 · 2014-09-02T06:34:31.000Z

@devd, you'll be pleased with #30, which adds support for checking intermediates, and brings down richer and more stable metadata for each cert, using the excellent node-x509 module.

It's not exposed in the UX yet, so I'm not closing this issue, but the checking API has the full JSON exposed and now I just need to start using the results in the front-end.

Answer 6 · 2014-09-03T15:09:10.000Z

"like" ;)

A minor concern is how openssl builds the chain. Are you getting the chain or are you getting "all certs"? I can take a look later, if needed.

Answer 7 · 2014-09-03T15:09:51.000Z

actually, never mind, I think getting the chain per openssl should be fine since thats what Chrome and IE will do

Answer 8 · 2014-09-03T15:15:00.000Z

Just clarifying, but in terms of validating the whole chain, according to the Mozilla Wiki article on SHA-1 certs, we wouldn't need to check the root cert, just intermediate CA certs.

Answer 9 · 2014-09-03T21:08:09.000Z

Correct. For one, site operators have no control over root certs, since they get shipped with browsers. But root certs are also completely unaffected by the weakness of SHA-1, because their SHA-1 signature is not used to validate them as trustworthy (their presence in browsers' trust stores does instead). So only supplied intermediates need to be checked.

Answer 10 · 2014-09-08T03:05:55.000Z

This now checks the whole chain, as of #35. It doesn't show full details yet, but it does link to SSL Labs, so that's good enough for now. I'd love to show more details, link to specific suggestions, etc., but that takes more UX work and styling and that'll come down the line (and help is very welcome).

Answer 11 · 2014-09-09T21:39:18.000Z

this is good though! thanks a lot!