Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
At the login webpage of <https://webmail.roadrunner.com>, the Time Warner Cable (TWC) Webmail site, I am immediately confronted with a warning that the Security Certificate is invalid & that the site is untrusted. This occurs with Firefox, Seamonkey, & Konqueror. This does not occur on Microsoft or Apple systems; I have checked other colleagues machines.
I have manually overridden the warning & everything functions fine. I have contacted TWC & am awaiting their tests. But, I would like some independent corroboration from other users in the Linux community.
Could some of you perform the test yourself on this URL? An error will be readily apparent.
No problems viewing their site either. The certificate I see is a class 3 one by verisign that expires on Aug 16, 2001 issued to the CN of webmail.roadrunner.com, with an md5 fingerprint that ends in ee:e5:f3:7a.
The biggest problem I have seen with these kinds of sites is that sometimes the certificates are valid, but expired.
Did you examine the SSL cert to determine why your browser is complaining about it? (Unknown CA? Mismatched CN? Expired?)
I did examine the certificate in detail & it appears fine.
CN -> webmail.roadrunner.com
CN of CA -> Verisign Class 3 ...
Expires 2010 August 16 (Date/Time on my machine is accurate.)
No problems viewing their site either. The certificate I see is a class 3 one by verisign that expires on Aug 16, 2001 issued to the CN of webmail.roadrunner.com, with an md5 fingerprint that ends in ee:e5:f3:7a.
The biggest problem I have seen with these kinds of sites is that sometimes the certificates are valid, but expired.
You see "expires on Aug 16, 2001"? I see 8/16/2011.
The other data you see is what I find too.
While Firefox, Seamonkey, & Konqueror ALL find the certificate invalid, Opera (for Linux) does NOT find a problem. I'm really clueless about this matter.
If I, at the warning screen, create an override for this certificate, then there are no problems.
Did you view the same warning (black text on a yellow background) before temporarily allowing the page to run?
Thanks for testing.
I mean, I temporarily disabled NoScript after I first loaded the page. Then I reloaded the page to see if there was any difference.
I didn't do anything remotely related to certificates, and at no time, before of after I reloaded the page, did I see any warnings of any kind regarding certificates..
Considering the different expiration dates people have posted in this thread, a server-side issue sounds quite likely. Have you heard back from them yet? FWIW, the one I get was issued on 8/15/2010 and is valid until 8/16/2011.
I did examine the certificate in detail & it appears fine.
CN -> webmail.roadrunner.com
CN of CA -> Verisign Class 3 ...
Expires 2010 August 16 (Date/Time on my machine is accurate.)
Good deal. BTW, I am assuming the expiration you put in that post is a typo (because in the next post you wrote 2011). I mainly wanted to be sure that you weren't seeing h4x0r.pr0xy.whatever for a CN.
Most obvious cause, then: root CA cert is not known to your browser(s), which is actually fairly odd for Verisign.
A couple things:
What Linux distro / version are we talking about?
Is this the only https site you're having this problem with??
Considering the different expiration dates people have posted in this thread, a server-side issue sounds quite likely. Have you heard back from them yet? FWIW, the one I get was issued on 8/15/2010 and is valid until 8/16/2011.
Yes, your issue/expiration dates are what I see.
I do NOT know how to view the certificate code on my Slackware 13.1 box.
But here is the exact text from the Firefox file cert_override.txt
Code:
webmail.roadrunner.com:443 OID.2.16.840.1.101.3.4.2.1 31:46:08:24:6B:B6:CC:60:66:22:1C:D8:7B:CE:A4:BC:96:D2:6E:25:96:EB:22:84:EC:0B:73:C8:6F:B3:91:FA U AAAAAAAAAAAAAAAQAAAAuHD7V1YIWi3w+ZLwPOQpjkQwgbUxCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1 c3QgTmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3 LnZlcmlzaWduLmNvbS9ycGEgKGMpMDkxLzAtBgNVBAMTJlZlcmlTaWduIENsYXNz IDMgU2VjdXJlIFNlcnZlciBDQSAtIEcy
This is important, though. For the last 5 years, until a month ago, I never had a problem. It seems to coincide roughly with the renewal date in August.
TWC (Time Warner Cable) is "working on the problem", they say. But, it is not clear if they even have access to a Linux machine. We (Linux devotees) are only about 2% of their subscriber base.
Good deal. BTW, I am assuming the expiration you put in that post is a typo (because in the next post you wrote 2011). I mainly wanted to be sure that you weren't seeing h4x0r.pr0xy.whatever for a CN.
Most obvious cause, then: root CA cert is not known to your browser(s), which is actually fairly odd for Verisign.
A couple things:
What Linux distro / version are we talking about?
Is this the only https site you're having this problem with??
I am currently using Slackware 13.1, the 32 bit version. I have been a user of Slackware for about 15 years.
This is the only https website on which I have a problem & most, if not all, of the others (like banks) use VeriSign. That is why I think it is problem confined to them (Time Warner Cable).
In Firefox (4.0b6 or 3.6.x) at the login page. If I do (click)
Tools -> Page Info -> Security -> View Certificate
the very first line says
"Could not verify this certificate for unknown reasons"
but all the following data appears sound.
Konqueror & Seamonkey also 'birp' on the site; however, all use the same browser engine (Gecko). So, it's not surprising.
This invalid certificate issue only appeared in the last month or two; the 5 prior years I had no problem. Also I tried a MS Win box & an Apple machine: no warning message. However, it's been my experience with Linux that it is far more careful in assuring system security than our more popular competitors.
I want to thank everyone on this thread for looking into this situation.
FWIW, the 2001 was a typo, it was supposed to be 2011. When I pull up the page and go to tools->page info->security, it says that it has been verified by verisign and that it is trusted for the purpose of SSL Server Certificate.
Could it be a problem with whatever server you get redirected to for verification? As far as location, I am in North Carolina, which is about as far from Southern California as you can get in the lower 48. It would make sense for me to be accessing a different verification server.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.