[tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows
Ondrej Mikle
ondrej.mikle at gmail.com
Wed Jan 4 20:10:18 UTC 2012
On 01/04/12 07:40, Greg wrote:
> Hi,
> I searched google for people having problems accessing torproject.org
> from Chrome on Windows, but I didn't see much besides a discussion on
> December 21 about an outage
> (http://comments.gmane.org/gmane.network.tor.general/2514).
>
> I can access torproject.org from Firefox on my windows (server 2003)
> machine, but not from Chrome. I get an "Invalid Server Certificate"
> error and it doesn't let me continue. Any ideas what might be wrong
> with my Chrome/Windows setup?
I can reproduce it on WinXP/Chrome. This seems to be a bug in Microsoft
CryptoAPI (unless I am missing something).
So what's going on here (amazing case of "cooperation paradox"):
1. Firefox and Chrome on Windows see different chains. Specifically Chrome sees
different intermediate certificate for "DigiCert High Assurance CA-3" than the
certificate sent by www.torproject.org server.
2. Since www.torproject.org does not send DigiCert root CA cert in handshake,
each browser builds yet another chain to root.
3. I've verified the chain seen by Chrome with gnutls, then looked at the
certificate differences by hand (checks out fine in both cases). I can't see why
MS CryptoAPI thinks the signature is invalid: it's not revoked and validity
period, extensions, etc. seem fine as well.
Though it might be helpful if www.torproject.org sent whole chain (up to
Digicert root).
If anyone wants to dig into it, three different chains are attached (one from
Chrome 16.0.912.63 m/Win, two from Firefox 9.0.1/Linux - yes, it's possible to
get two chains on different profiles).
Ondrej
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: torproject.org_chrome_chain
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20120104/570a5549/attachment-0003.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: torproject.org_firefox_chain
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20120104/570a5549/attachment-0004.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: torproject.org_firefox_chain_no_cross
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20120104/570a5549/attachment-0005.ksh>
More information about the tor-talk
mailing list