[Discuss] Rekonq doesn't trust my Certificate Authority

[effigies at riseup.net (Chris Markiewicz)]

On 03/12/2015 07:28 AM, Dan Ritter wrote:
> On Thu, Mar 12, 2015 at 12:00:59AM -0400, Bill Horne wrote:
>> I've come across an odd problem with Rekonq, and I'm looking for help.
>>
>> I have a "real" SSL certificate for my website, billhorne.com. It
>> shows, as is expected, a "padlock" icon when I go to
>> https://billhorne.com/ .
>>
>> Except when I use Rekonq, and then the KDE browser gives me an
>> "untrusted" error, saying that the root CA certificate is not
>> trusted for this use.  Google searches show that it's a "known"
>> problem, but the only pages I found were of suggestions that there
>> was a MITM attack in progress or warning against using a self-signed
>> cert.
>>
>> I took a screen shot of the "deails" page: it's at
>> https://billhorne.com/snapshot1.png .  All suggestions are welcome,
>> and thank you in advance.
> 
> https://www.ssllabs.com/ssltest/analyze.html?d=billhorne.com&latest
> 
> You probably have some certificate chain problems that Rekonq is
> sensitive to.

Yes, specifically, Bill is sending a "GeoTrust Global CA" cert signed by
a weak (1024-bit) EquiFax CA. He is also not sending the RapidSSL
intermediate cert. So Rekonq could be upset at the broken chain or
possibly the partial chain being untrustworthy.

Replacing your chain with the "RapidSSL SHA256 CA - G3" cert with
fingerprint 0e34141846e7423d37f20dc0ab06c9bbd843dc24 should resolve
this. (Can be found here:
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO26457)

> You support weak algorithms -- try:
> 
> SSLCipherSuite ALL:!ADH:RC4:+HIGH:+MEDIUM:!LOW:!EXP:!AECDH
> SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
> SSLCompression off
> 
> With RC4, you have some weakness, but without RC4, you'll lose a 
> lot of older browsers. In a year or three you can probably drop
> that, too.

If it's a personal website, I don't see much disadvantage to dropping
these. If somebody complains they can't see it, maybe consider
reenabling RC4, but if you don't need to worry about losing business
from people running XP, there's no need to preemptively weaken.

On sites where I'm interested in making sure friends and family can
connect, this is my suite:

EECDH:EDH:!MEDIUM:!LOW:!EXP:!DSS:!aNULL:!eNULL:!RC4:!3DES:!SEED:!MD5

Again, though, I'm interested in personal users who have almost
certainly upgraded machines in the last 5 years, not corporate clients
who may be running early-00's tech.

> And when you renew the cert, you should get SHA2 instead of
> SHA1. 

Bill's is SHA2. It's the chain that's not.