LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-07-2010, 05:37 PM   #1
rdsherman
Member
 
Registered: Aug 2009
Location: Santa Monica CA
Distribution: Slackware, Fedora, Debian
Posts: 114

Rep: Reputation: 21
Invalid (Untrusted) Security Certificate - TWC Webmail


At the login webpage of <https://webmail.roadrunner.com>, the Time Warner Cable (TWC) Webmail site, I am immediately confronted with a warning that the Security Certificate is invalid & that the site is untrusted. This occurs with Firefox, Seamonkey, & Konqueror. This does not occur on Microsoft or Apple systems; I have checked other colleagues machines.

I have manually overridden the warning & everything functions fine. I have contacted TWC & am awaiting their tests. But, I would like some independent corroboration from other users in the Linux community.

Could some of you perform the test yourself on this URL? An error will be readily apparent.
 
Old 10-07-2010, 05:50 PM   #2
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555
I just visited it using my Slackware machine & Firefox, temporarily allowed the whole page to run, and I got no such warning.
 
Old 10-07-2010, 06:29 PM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Did you examine the SSL cert to determine why your browser is complaining about it? (Unknown CA? Mismatched CN? Expired?)
 
Old 10-08-2010, 04:29 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
No problems viewing their site either. The certificate I see is a class 3 one by verisign that expires on Aug 16, 2001 issued to the CN of webmail.roadrunner.com, with an md5 fingerprint that ends in ee:e5:f3:7a.

The biggest problem I have seen with these kinds of sites is that sometimes the certificates are valid, but expired.
 
Old 10-08-2010, 10:55 AM   #5
rdsherman
Member
 
Registered: Aug 2009
Location: Santa Monica CA
Distribution: Slackware, Fedora, Debian
Posts: 114

Original Poster
Rep: Reputation: 21
Quote:
Originally Posted by GrapefruiTgirl View Post
I just visited it using my Slackware machine & Firefox, temporarily allowed the whole page to run, and I got no such warning.
What do you mean by "...tempoarily..."?

If I, at the warning screen, create an override for this certificate, then there are no problems.

Did you view the same warning (black text on a yellow background) before temporarily allowing the page to run?

Thanks for testing.
 
Old 10-08-2010, 11:05 AM   #6
rdsherman
Member
 
Registered: Aug 2009
Location: Santa Monica CA
Distribution: Slackware, Fedora, Debian
Posts: 114

Original Poster
Rep: Reputation: 21
Quote:
Originally Posted by anomie View Post
Did you examine the SSL cert to determine why your browser is complaining about it? (Unknown CA? Mismatched CN? Expired?)

I did examine the certificate in detail & it appears fine.
CN -> webmail.roadrunner.com
CN of CA -> Verisign Class 3 ...
Expires 2010 August 16 (Date/Time on my machine is accurate.)

But, I am a novice at examining certificates!
 
1 members found this post helpful.
Old 10-08-2010, 11:13 AM   #7
rdsherman
Member
 
Registered: Aug 2009
Location: Santa Monica CA
Distribution: Slackware, Fedora, Debian
Posts: 114

Original Poster
Rep: Reputation: 21
Quote:
Originally Posted by Noway2 View Post
No problems viewing their site either. The certificate I see is a class 3 one by verisign that expires on Aug 16, 2001 issued to the CN of webmail.roadrunner.com, with an md5 fingerprint that ends in ee:e5:f3:7a.

The biggest problem I have seen with these kinds of sites is that sometimes the certificates are valid, but expired.
You see "expires on Aug 16, 2001"? I see 8/16/2011.

The other data you see is what I find too.

While Firefox, Seamonkey, & Konqueror ALL find the certificate invalid, Opera (for Linux) does NOT find a problem. I'm really clueless about this matter.
 
Old 10-08-2010, 12:51 PM   #8
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555
Quote:
Originally Posted by rdsherman View Post
What do you mean by "...temporarily..."?

If I, at the warning screen, create an override for this certificate, then there are no problems.

Did you view the same warning (black text on a yellow background) before temporarily allowing the page to run?

Thanks for testing.
I mean, I temporarily disabled NoScript after I first loaded the page. Then I reloaded the page to see if there was any difference.

I didn't do anything remotely related to certificates, and at no time, before of after I reloaded the page, did I see any warnings of any kind regarding certificates..
 
Old 10-08-2010, 06:31 PM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Looks good to me. Just make sure we're looking at the same thing:
Code:
-----BEGIN CERTIFICATE-----

MIIFJTCCBA2gAwIBAgIQcPtXVghaLfD5kvA85CmORDANBgkqhkiG9w0BAQUFADCB

tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL

ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug

YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMm

VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwHhcNMTAwODE2

MDAwMDAwWhcNMTEwODE2MjM1OTU5WjCBlTELMAkGA1UEBhMCVVMxFTATBgNVBAgT

DFBlbm5zeWx2YW5pYTEUMBIGA1UEBxQLQ291ZGVyc3BvcnQxHzAdBgNVBAoUFlJv

YWQgUnVubmVyIEhvbGRDbyBMTEMxFzAVBgNVBAsUDkJJRy1JUCB3ZWJtYWlsMR8w

HQYDVQQDFBZ3ZWJtYWlsLnJvYWRydW5uZXIuY29tMIGfMA0GCSqGSIb3DQEBAQUA

A4GNADCBiQKBgQC26Jz7ozVyjA9G62zOLEQmjSdq18M0ZbFPBcWmQ9ILdLaZnnEt

faEYC+m+12iNVnuw33D/SgxiD1JLoRRVXs+GX64+FfqKyM1jiQfM9ZIsYgm7BXgt

fetr8EwyaNLpSoLpWM/jxiswZAmv2RzzSNxv9wKOx1qTf1JFGyR/9dEr2wIDAQAB

o4IB0TCCAc0wCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRQYDVR0fBD4wPDA6oDig

NoY0aHR0cDovL1NWUlNlY3VyZS1HMi1jcmwudmVyaXNpZ24uY29tL1NWUlNlY3Vy

ZUcyLmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEW

HGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwHQYDVR0lBBYwFAYIKwYBBQUH

AwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFKXvCxHOwEEDo0plkEiyHOBXLX1HMHYG

CCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24u

Y29tMEAGCCsGAQUFBzAChjRodHRwOi8vU1ZSU2VjdXJlLUcyLWFpYS52ZXJpc2ln

bi5jb20vU1ZSU2VjdXJlRzIuY2VyMG4GCCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYW

CWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruSiWBgy70FI4mymsSweLIQUYMCYW

JGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjANBgkqhkiG9w0B

AQUFAAOCAQEAWoXp59oFDufU3z/rXuLo7VhoR7epKf5nVCYrq1fB++pauznA64O0

6U72rU5VOZsix5l81tWPkskVH793Ozb8L1s17gLe4WxYQzgevndHZrEKkM+s3tZM

XiHWKVmdvfQJeWlNb63kN7a2npmmJtkDnv9B8uwcrFSwQ8YtMHewXvl92Lgp9Z0R

kL2M/pYO+CHAo4pXff1v2UH1xJAGkk7ey/RU2fscxnZi2jDPuwSAdDpK8ZG/HoH3

1Ci6hYBQkYbPesso8jv/KQZC+EUV8ryRBtluLSqLKj3XU7/M07ND/afihnz8YWcc

7Ki3V8ouDelgQfebCyniOXECevMvw09byg==

-----END CERTIFICATE-----
Considering the different expiration dates people have posted in this thread, a server-side issue sounds quite likely. Have you heard back from them yet? FWIW, the one I get was issued on 8/15/2010 and is valid until 8/16/2011.
 
Old 10-08-2010, 07:07 PM   #10
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by rdsherman
I did examine the certificate in detail & it appears fine.
CN -> webmail.roadrunner.com
CN of CA -> Verisign Class 3 ...
Expires 2010 August 16 (Date/Time on my machine is accurate.)
Good deal. BTW, I am assuming the expiration you put in that post is a typo (because in the next post you wrote 2011). I mainly wanted to be sure that you weren't seeing h4x0r.pr0xy.whatever for a CN.

Most obvious cause, then: root CA cert is not known to your browser(s), which is actually fairly odd for Verisign.

A couple things:
  1. What Linux distro / version are we talking about?
  2. Is this the only https site you're having this problem with??

Last edited by anomie; 10-08-2010 at 07:11 PM.
 
Old 10-08-2010, 08:53 PM   #11
rdsherman
Member
 
Registered: Aug 2009
Location: Santa Monica CA
Distribution: Slackware, Fedora, Debian
Posts: 114

Original Poster
Rep: Reputation: 21
Quote:
Originally Posted by win32sux View Post
Looks good to me. Just make sure we're looking at the same thing:
Code:
-----BEGIN CERTIFICATE-----

MIIFJTCCBA2gAwIBAgIQcPtXVghaLfD5kvA85CmORDANBgkqhkiG9w0BAQUFADCB

tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL

ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug

YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMm

VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwHhcNMTAwODE2

MDAwMDAwWhcNMTEwODE2MjM1OTU5WjCBlTELMAkGA1UEBhMCVVMxFTATBgNVBAgT

DFBlbm5zeWx2YW5pYTEUMBIGA1UEBxQLQ291ZGVyc3BvcnQxHzAdBgNVBAoUFlJv

YWQgUnVubmVyIEhvbGRDbyBMTEMxFzAVBgNVBAsUDkJJRy1JUCB3ZWJtYWlsMR8w

HQYDVQQDFBZ3ZWJtYWlsLnJvYWRydW5uZXIuY29tMIGfMA0GCSqGSIb3DQEBAQUA

A4GNADCBiQKBgQC26Jz7ozVyjA9G62zOLEQmjSdq18M0ZbFPBcWmQ9ILdLaZnnEt

faEYC+m+12iNVnuw33D/SgxiD1JLoRRVXs+GX64+FfqKyM1jiQfM9ZIsYgm7BXgt

fetr8EwyaNLpSoLpWM/jxiswZAmv2RzzSNxv9wKOx1qTf1JFGyR/9dEr2wIDAQAB

o4IB0TCCAc0wCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRQYDVR0fBD4wPDA6oDig

NoY0aHR0cDovL1NWUlNlY3VyZS1HMi1jcmwudmVyaXNpZ24uY29tL1NWUlNlY3Vy

ZUcyLmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEW

HGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwHQYDVR0lBBYwFAYIKwYBBQUH

AwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFKXvCxHOwEEDo0plkEiyHOBXLX1HMHYG

CCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24u

Y29tMEAGCCsGAQUFBzAChjRodHRwOi8vU1ZSU2VjdXJlLUcyLWFpYS52ZXJpc2ln

bi5jb20vU1ZSU2VjdXJlRzIuY2VyMG4GCCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYW

CWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruSiWBgy70FI4mymsSweLIQUYMCYW

JGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjANBgkqhkiG9w0B

AQUFAAOCAQEAWoXp59oFDufU3z/rXuLo7VhoR7epKf5nVCYrq1fB++pauznA64O0

6U72rU5VOZsix5l81tWPkskVH793Ozb8L1s17gLe4WxYQzgevndHZrEKkM+s3tZM

XiHWKVmdvfQJeWlNb63kN7a2npmmJtkDnv9B8uwcrFSwQ8YtMHewXvl92Lgp9Z0R

kL2M/pYO+CHAo4pXff1v2UH1xJAGkk7ey/RU2fscxnZi2jDPuwSAdDpK8ZG/HoH3

1Ci6hYBQkYbPesso8jv/KQZC+EUV8ryRBtluLSqLKj3XU7/M07ND/afihnz8YWcc

7Ki3V8ouDelgQfebCyniOXECevMvw09byg==

-----END CERTIFICATE-----
Considering the different expiration dates people have posted in this thread, a server-side issue sounds quite likely. Have you heard back from them yet? FWIW, the one I get was issued on 8/15/2010 and is valid until 8/16/2011.
Yes, your issue/expiration dates are what I see.

I do NOT know how to view the certificate code on my Slackware 13.1 box.
But here is the exact text from the Firefox file cert_override.txt
Code:
webmail.roadrunner.com:443	OID.2.16.840.1.101.3.4.2.1	31:46:08:24:6B:B6:CC:60:66:22:1C:D8:7B:CE:A4:BC:96:D2:6E:25:96:EB:22:84:EC:0B:73:C8:6F:B3:91:FA	U	AAAAAAAAAAAAAAAQAAAAuHD7V1YIWi3w+ZLwPOQpjkQwgbUxCzAJBgNVBAYTAlVT  MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1  c3QgTmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3  LnZlcmlzaWduLmNvbS9ycGEgKGMpMDkxLzAtBgNVBAMTJlZlcmlTaWduIENsYXNz  IDMgU2VjdXJlIFNlcnZlciBDQSAtIEcy
This is important, though. For the last 5 years, until a month ago, I never had a problem. It seems to coincide roughly with the renewal date in August.

TWC (Time Warner Cable) is "working on the problem", they say. But, it is not clear if they even have access to a Linux machine. We (Linux devotees) are only about 2% of their subscriber base.
 
Old 10-08-2010, 09:11 PM   #12
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by win32sux View Post
Looks good to me.
FYI: I just tried the site again and I get an invalid certificate alert.

Hopefully they really are working on the problem.

Last edited by win32sux; 10-08-2010 at 09:14 PM.
 
Old 10-08-2010, 09:28 PM   #13
rdsherman
Member
 
Registered: Aug 2009
Location: Santa Monica CA
Distribution: Slackware, Fedora, Debian
Posts: 114

Original Poster
Rep: Reputation: 21
Quote:
Originally Posted by anomie View Post
Good deal. BTW, I am assuming the expiration you put in that post is a typo (because in the next post you wrote 2011). I mainly wanted to be sure that you weren't seeing h4x0r.pr0xy.whatever for a CN.

Most obvious cause, then: root CA cert is not known to your browser(s), which is actually fairly odd for Verisign.

A couple things:
  1. What Linux distro / version are we talking about?
  2. Is this the only https site you're having this problem with??
I am currently using Slackware 13.1, the 32 bit version. I have been a user of Slackware for about 15 years.

This is the only https website on which I have a problem & most, if not all, of the others (like banks) use VeriSign. That is why I think it is problem confined to them (Time Warner Cable).

In Firefox (4.0b6 or 3.6.x) at the login page. If I do (click)
Tools -> Page Info -> Security -> View Certificate
the very first line says
"Could not verify this certificate for unknown reasons"
but all the following data appears sound.

Konqueror & Seamonkey also 'birp' on the site; however, all use the same browser engine (Gecko). So, it's not surprising.

This invalid certificate issue only appeared in the last month or two; the 5 prior years I had no problem. Also I tried a MS Win box & an Apple machine: no warning message. However, it's been my experience with Linux that it is far more careful in assuring system security than our more popular competitors.

I want to thank everyone on this thread for looking into this situation.
 
Old 10-08-2010, 09:43 PM   #14
rdsherman
Member
 
Registered: Aug 2009
Location: Santa Monica CA
Distribution: Slackware, Fedora, Debian
Posts: 114

Original Poster
Rep: Reputation: 21
Quote:
Originally Posted by win32sux View Post
FYI: I just tried the site again and I get an invalid certificate alert.

Hopefully they really are working on the problem.
JAIT (Just As I Thought). It is real & it is NOT a Linux distro problem!

I wonder if it is geographical problem. You are in LA & I am in Santa Monica CA. GrapefruitGirl did not see it; is she outside of Southern California?

I will attempt to direct Time Warner Cable technicians to this thread so they can witness this directly.

Thanks for the help!
 
Old 10-10-2010, 05:43 AM   #15
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
FWIW, the 2001 was a typo, it was supposed to be 2011. When I pull up the page and go to tools->page info->security, it says that it has been verified by verisign and that it is trusted for the purpose of SSL Server Certificate.

Could it be a problem with whatever server you get redirected to for verification? As far as location, I am in North Carolina, which is about as far from Southern California as you can get in the lower 48. It would make sense for me to be accessing a different verification server.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
localhost:10000 uses an invalid security certificate. Webmin 1.470 Ubuntu 9.04 Clived Ubuntu 10 03-20-2012 08:03 AM
Why get invalid Security certificate when not accessing site? dumluks Linux - Security 2 01-25-2010 10:27 AM
Apache SSL untrusted certificate keysorsoze Linux - Server 4 10-08-2008 08:36 PM
OpenVPN CA Certificate Invalid fukawi2 Linux - Networking 4 05-07-2008 11:01 PM
webmin + invalid certificate rosscopeeko Mandriva 0 03-08-2004 10:22 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration