NetTalk Central

Author Topic: SLL on Mobile Android/Chrome, what is our .conf file  (Read 10540 times)

Stu

  • Hero Member
  • *****
  • Posts: 510
    • View Profile
    • Email
SLL on Mobile Android/Chrome, what is our .conf file
« on: June 24, 2015, 04:03:37 PM »
Hi Bruce/Folks,

Have had an issue with SSL and mobile android/chrome for a while now.

Thankfully, someone has solved it!

http://stackoverflow.com/questions/27892873/ssl-cert-err-cert-authority-invalid-on-mobile-chrome-only

So my question is, where would the *.conf file be, or the equivalent?

Is it something internally in the nettalk ssl functionality maybe?

Cheers,

Stu

[attachment deleted by admin]
Cheers,

Stu Andrews

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: SLL on Mobile Android/Chrome, what is our .conf file
« Reply #1 on: June 24, 2015, 10:34:08 PM »
Hi Stu,

From the StackOverflow question this appears to be an Intermediate Certificate issue. Maybe you don't have enough, maybe you have too many.

In NetTalk Intermediate certificates are merged into the CRT file. The mechanics are discussed here;
http://www.capesoft.com/docs/NetTalk8/NetTalkWebSecure.htm#UsingIntermediateCertificates

So I'm guessing this is the place to start adding, or removing, certificates.

cheers
Bruce

Stu

  • Hero Member
  • *****
  • Posts: 510
    • View Profile
    • Email
Re: SLL on Mobile Android/Chrome, what is our .conf file
« Reply #2 on: June 25, 2015, 12:34:03 AM »
Hi Bruce,

Yup, I've been all over that the last time I tried to fix this.

I was asking about the "ssl.conf" file .. If nettalk had an equivalent.

I'm guessing it's just the .pem file we use.

Stu
Cheers,

Stu Andrews

Stu

  • Hero Member
  • *****
  • Posts: 510
    • View Profile
    • Email
Re: SLL on Mobile Android/Chrome, what is our .conf file
« Reply #3 on: June 25, 2015, 12:46:41 AM »
More specifically, have got one .pem file, CA_Roots.pem, with a whole bunch of X.509 certificates in it .. which I thought I needed.

So I guess I'm asking if anyone has any wisdom on what would need to be removed and what would need to stay.

Will keep digging.

Stu
Cheers,

Stu Andrews

Stu

  • Hero Member
  • *****
  • Posts: 510
    • View Profile
    • Email
Re: SLL on Mobile Android/Chrome, what is our .conf file
« Reply #4 on: June 25, 2015, 01:04:04 AM »
Also Bruce,

Quote
From the StackOverflow question this appears to be an Intermediate Certificate issue. Maybe you don't have enough, maybe you have too many.

That's not how I read the answer, but maybe I don't understand.

Looks like he's saying there was a second certificate chain being added with the "Server Certificate Chain".

So reading this my brain says .. What is the equivalent, if there is, in the nettalk implementation of ssl?

I've gone down the Intermediate Certificate path (maybe not enough) .. My .crt file has a primary and secondary intermediate cert text in addition to the base one.

Stu

[attachment deleted by admin]
Cheers,

Stu Andrews

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: SLL on Mobile Android/Chrome, what is our .conf file
« Reply #5 on: June 26, 2015, 06:12:53 AM »
>> More specifically, have got one .pem file, CA_Roots.pem, with a whole bunch of X.509 certificates in it .. which I thought I needed.

that pem file is not used by a server, only a client.

the certificate you need to worry about is in your certificates folder.

>> My .crt file has a primary and secondary intermediate cert text in addition to the base one.

yes, that's the file you want to be looking into. I read it that you have too many, or not enough, intermediate certificates in there.


cheers
Bruce

Stu

  • Hero Member
  • *****
  • Posts: 510
    • View Profile
    • Email
Re: SLL on Mobile Android/Chrome, what is our .conf file
« Reply #6 on: June 26, 2015, 03:17:43 PM »
Thanks Bruce.

So zero intermediate certs doesn't solve the issue (it's why I added them in the first place, to try and solve it).

Adding the two from GeoTrust/RapidSSL doesn't solve it.

Not sure if there are any more.

You say that the pem file is only used by a client.

So Android Chrome would be a client right?

That kind of makes sense. So if android chrome is throwing up issues, then wouldn't that mean the pem file is where I should be looking?
Cheers,

Stu Andrews

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: SLL on Mobile Android/Chrome, what is our .conf file
« Reply #7 on: June 29, 2015, 01:47:12 AM »
>> You say that the pem file is only used by a client.

A NetTalk Client object making an SSL client-side connection.

>> So Android Chrome would be a client right?

But not a NetTalk client, so it doesn't apply.

cheers
Bruce

Stu

  • Hero Member
  • *****
  • Posts: 510
    • View Profile
    • Email
Re: SLL on Mobile Android/Chrome, what is our .conf file
« Reply #8 on: June 29, 2015, 03:36:20 PM »
Ahhh, rightio. Cheers, thanks Bruce.

So it comes back to android chrome being .. annoying.
Cheers,

Stu Andrews

Larry Sand

  • Full Member
  • ***
  • Posts: 101
    • View Profile
Re: SLL on Mobile Android/Chrome, what is our .conf file
« Reply #9 on: June 30, 2015, 02:20:19 PM »
Hi Stu,

We've had this problem at hundreds of sites and it's always the certificate chain.  Sometimes for Android you need to add the root CA to the chain then it'll be happy.

Larry Sand

Stu

  • Hero Member
  • *****
  • Posts: 510
    • View Profile
    • Email
Re: SLL on Mobile Android/Chrome, what is our .conf file
« Reply #10 on: June 30, 2015, 08:24:27 PM »
Hey Larry,

Oh okay! Cheers for the info.

So you mean, in terms of nettalk, putting the root CA into the .pem file?

Stu
Cheers,

Stu Andrews

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: SLL on Mobile Android/Chrome, what is our .conf file
« Reply #11 on: June 30, 2015, 11:11:54 PM »
I _think_ Larry means adding the Root CA to the CRT file.
The .pem file is not used by the server.

Cheers
Bruce

Stu

  • Hero Member
  • *****
  • Posts: 510
    • View Profile
    • Email
Re: SLL on Mobile Android/Chrome, what is our .conf file
« Reply #12 on: June 30, 2015, 11:50:24 PM »
Hi Bruce,

Yeah okay .. I know you said above that only the client uses the pem file. I guess I wasn't sure what Larry meant by "to the chain".

Cheers,

Stu
Cheers,

Stu Andrews

Larry Sand

  • Full Member
  • ***
  • Posts: 101
    • View Profile
Re: SLL on Mobile Android/Chrome, what is our .conf file
« Reply #13 on: July 01, 2015, 12:47:13 PM »
Hi Stu,

Yes Bruce is correct.  By chain I mean that you have a certificate and intermediate certificates, but that relies on the browser having access to the root certificate.  Frequently the Android browsers do not have the root certificate cached so you have to serve it, and then the device is happy with the certificate authority chain.

Does that help?

Larry Sand

Stu

  • Hero Member
  • *****
  • Posts: 510
    • View Profile
    • Email
Re: SLL on Mobile Android/Chrome, what is our .conf file
« Reply #14 on: July 01, 2015, 07:11:04 PM »
Hi Larry/Bruce,

Apologies for being plain dumb about this.

1. We get a wildcard SSL certificate each year.
2. I get a cert txt file and two (primary and secondary) intermediate txt files.
3. These three certificates make up the "<name>.crt" file that lives in the "certificates" folder under the nettalk webserver.
4. Also, I've got a "CA_Roots.pem" file, which holds a whole bunch (20+) "root" certificates from different places.

So I've tried taking what is in the .pem file (the "root" certificates") and placing them in the .crt file. This doesn't solve the android issue.

I've tried just taking the GeoTrust ones out (because they are the guys, so I've been told, that RapidSSL - where we get our ssl from - use) and putting them into the .crt file, but doesn't seem to solve the issue.

Am I doing the right thing? - should I keep cutting and pasting out of the .pem file until I get the right combination in the .crt file?

Really appreciate the help so far, and ongoing.

Stu
Cheers,

Stu Andrews