[Caml-list] ocaml.org ssl certificate problem

[Caml-list] ocaml.org ssl certificate problem

[Milan Stanojević]

Firefox is complaining about ocaml.org's certificate issuer, says
"unknown issuer".
Chromium doesn't complain and allows me to open ocaml.org.

It's possible my configuration is messed up.
Anyone else having this problem?

Re: [Caml-list] ocaml.org ssl certificate problem

[Peter Zotov]

On 2014-09-30 06:15, Milan Stanojević wrote:
> Firefox is complaining about ocaml.org's certificate issuer, says
> "unknown issuer".
> Chromium doesn't complain and allows me to open ocaml.org.
> 
> It's possible my configuration is messed up.
> Anyone else having this problem?

Let me try to guess--do you use Windows XP?

-- 
Peter Zotov

RE: [Caml-list] ocaml.org ssl certificate problem

[David Allsopp]

Milan Stanojevic wrote:
> Firefox is complaining about ocaml.org's certificate issuer, says "unknown
> issuer".
> Chromium doesn't complain and allows me to open ocaml.org.
> 
> It's possible my configuration is messed up.
> Anyone else having this problem?

It looks like ocaml.org's SSL is not correctly configured and it's not sending the intermediate CA certificate (see output of http://www.ssltool.com/?action=sslCheckOpenSSL&address=ocaml.org). The intermediate CA certificate is at http://wiki.gandi.net/en/ssl/intermediate, by the look of it.

This will be a problem viewing in an evangelical browser like Firefox which doesn't include a stash of common intermediate CA certificates, but not so much of a problem in Chromium (especially if you do happen to be running on Windows, where it uses Microsoft's built-in certificate store) which is a little more liberal - or less liberal, depending on political viewpoint! - about the certificates it pre-installs for you!

However, it will have problems in Chromium later this year when SHA1 starts to be retired: http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.html


David