SLL on Mobile Android/Chrome, what is our .conf file

[Stu]

Hi Bruce/Folks,

Have had an issue with SSL and mobile android/chrome for a while now.

Thankfully, someone has solved it!

http://stackoverflow.com/questions/27892873/ssl-cert-err-cert-authority-invalid-on-mobile-chrome-only

So my question is, where would the *.conf file be, or the equivalent?

Is it something internally in the nettalk ssl functionality maybe?

Cheers,

Stu

[attachment deleted by admin]

[Bruce]

Hi Stu,

From the StackOverflow question this appears to be an Intermediate Certificate issue. Maybe you don't have enough, maybe you have too many.

In NetTalk Intermediate certificates are merged into the CRT file. The mechanics are discussed here;
http://www.capesoft.com/docs/NetTalk8/NetTalkWebSecure.htm#UsingIntermediateCertificates

So I'm guessing this is the place to start adding, or removing, certificates.

cheers
Bruce

[Stu]

Hi Bruce,

Yup, I've been all over that the last time I tried to fix this.

I was asking about the "ssl.conf" file .. If nettalk had an equivalent.

I'm guessing it's just the .pem file we use.

Stu

[Stu]

More specifically, have got one .pem file, CA_Roots.pem, with a whole bunch of X.509 certificates in it .. which I thought I needed.

So I guess I'm asking if anyone has any wisdom on what would need to be removed and what would need to stay.

Will keep digging.

Stu

[Stu]

Also Bruce,

From the StackOverflow question this appears to be an Intermediate Certificate issue. Maybe you don't have enough, maybe you have too many.

That's not how I read the answer, but maybe I don't understand.

Looks like he's saying there was a second certificate chain being added with the "Server Certificate Chain".

So reading this my brain says .. What is the equivalent, if there is, in the nettalk implementation of ssl?

I've gone down the Intermediate Certificate path (maybe not enough) .. My .crt file has a primary and secondary intermediate cert text in addition to the base one.

Stu

[attachment deleted by admin]

[Bruce]

>> More specifically, have got one .pem file, CA_Roots.pem, with a whole bunch of X.509 certificates in it .. which I thought I needed.

that pem file is not used by a server, only a client.

the certificate you need to worry about is in your certificates folder.

>> My .crt file has a primary and secondary intermediate cert text in addition to the base one.

yes, that's the file you want to be looking into. I read it that you have too many, or not enough, intermediate certificates in there.


cheers
Bruce

[Stu]

Thanks Bruce.

So zero intermediate certs doesn't solve the issue (it's why I added them in the first place, to try and solve it).

Adding the two from GeoTrust/RapidSSL doesn't solve it.

Not sure if there are any more.

You say that the pem file is only used by a client.

So Android Chrome would be a client right?

That kind of makes sense. So if android chrome is throwing up issues, then wouldn't that mean the pem file is where I should be looking?

[Bruce]

>> You say that the pem file is only used by a client.

A NetTalk Client object making an SSL client-side connection.

>> So Android Chrome would be a client right?

But not a NetTalk client, so it doesn't apply.

cheers
Bruce

[Stu]

Ahhh, rightio. Cheers, thanks Bruce.

So it comes back to android chrome being .. annoying.

[Larry Sand]

Hi Stu,

We've had this problem at hundreds of sites and it's always the certificate chain.  Sometimes for Android you need to add the root CA to the chain then it'll be happy.

Larry Sand

[Stu]

Hey Larry,

Oh okay! Cheers for the info.

So you mean, in terms of nettalk, putting the root CA into the .pem file?

Stu

[Bruce]

I _think_ Larry means adding the Root CA to the CRT file.
The .pem file is not used by the server.

Cheers
Bruce

[Stu]

Hi Bruce,

Yeah okay .. I know you said above that only the client uses the pem file. I guess I wasn't sure what Larry meant by "to the chain".

Cheers,

Stu

[Larry Sand]

Hi Stu,

Yes Bruce is correct.  By chain I mean that you have a certificate and intermediate certificates, but that relies on the browser having access to the root certificate.  Frequently the Android browsers do not have the root certificate cached so you have to serve it, and then the device is happy with the certificate authority chain.

Does that help?

Larry Sand

[Stu]

Hi Larry/Bruce,

Apologies for being plain dumb about this.

1. We get a wildcard SSL certificate each year.
2. I get a cert txt file and two (primary and secondary) intermediate txt files.
3. These three certificates make up the "<name>.crt" file that lives in the "certificates" folder under the nettalk webserver.
4. Also, I've got a "CA_Roots.pem" file, which holds a whole bunch (20+) "root" certificates from different places.

So I've tried taking what is in the .pem file (the "root" certificates") and placing them in the .crt file. This doesn't solve the android issue.

I've tried just taking the GeoTrust ones out (because they are the guys, so I've been told, that RapidSSL - where we get our ssl from - use) and putting them into the .crt file, but doesn't seem to solve the issue.

Am I doing the right thing? - should I keep cutting and pasting out of the .pem file until I get the right combination in the .crt file?

Really appreciate the help so far, and ongoing.

Stu