<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div><blockquote type="cite" class=""><div class="">On Jun 12, 2015, at 2:18 PM, Wyatt Zacharias <<a href="mailto:wyatt@magitech.ca" class="">wyatt@magitech.ca</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="">So we recently upgraded our SSL certificate to SHA256 to meet Google's new security policies, </div><div class="">and now we're getting very isolated incidents where browsers do not trust the new certificate because</div><div class="">the don't trust the CA that issued them. It first started from on a couple of our internal workstations</div><div class="">but we now have a customer with the same issue. From what I can see, it looks like the browser is</div><div class="">not seeing the first certificate in the chain, which is the Verisign root certificate, and then it doesn't</div><div class="">trust the rest of the chain. </div><div class=""><br class=""></div><div class="">Here's what our correct chain looks like: </div><div class=""><span id="cid:ii_14de930a338ff48d"><image.png></span><br class=""></div><div class=""><br class=""></div><div class="">And here's what I see on the clients with the error:</div><div class=""><span id="cid:ii_14de93134f3a0391"><image.png></span><br class=""></div><div class=""><br class=""></div><div class="">Could it be an issue on the Apache end, or maybe an obscure issue with Internet explorer? </div><div class="">It's odd that I don't even see the first certificate in the chain marked as invalid, I just don't see</div><div class="">a certificate at all.</div><div class=""><br class=""></div><div class="">If anyone cares to give it try for themselves, <a href="https://www.mb.bluecross.ca/" class="">https://www.mb.bluecross.ca</a> let me know if you get</div><div class="">an error. </div></div></div></blockquote></div><br class=""><div class="">I pumped that URL into SSL Labs w/ hide results on so it wouldn’t put it on the public list of recent tests, and didn’t find any glaring errors:</div><div class=""><a href="https://www.ssllabs.com/ssltest/analyze.html?d=mb.bluecross.ca&hideResults=on" class="">https://www.ssllabs.com/ssltest/analyze.html?d=mb.bluecross.ca&hideResults=on</a></div><div class=""><br class=""></div><div class="">It lists a matrix of browsers near the bottom, and only iE6 on XP is incompatible w/ the SSL/TLS settings used. It also contains details on the certification chain(s). In this case there is only one chain, the intermediary isn’t cross-signed by another CA. </div><div class=""><br class=""></div><div class="">The only potential issue I can see is the full certification chain is all SHA256withRSA. Any browser/OS with old crypto that doesn’t know about SHA256 (IE6/XP, some combinations of windows 2003, probably others too) will probably have trouble validating this chain. Theres not much you can do about this though except encourage your customers to always run up to date browsers/OSs. </div><div class=""><br class=""></div><div class="">Which browser/OS combos aren’t working?</div><div class=""><br class=""></div><div class="">Theo</div><div class=""><br class=""></div></body></html>