#tlsnotary-chat

anyone seen a scenario where a firefox doesn't recognise half the certs?

i have a browser running in a separate uid, and have been having trouble for a while verifying anything under it. even when i load https://tlsnotary.org it tells me invalid certificate, but https://google.com works for example. https://tlsnotary.org works in my other firefoxes running under different uids. go figure.

i removed the dirs under ~/.mozilla and still

BB-Martino: yes, i saw that when i loaded a new VM recently

any suggestions on how to fix it?

best guess is it's related to having a non-up to date certdb

okay, but it's not like it copies certs when i create a new userid, is it ?

or if so, where do i reset it

i got as far as being confused about it but so far not further .. what version of FF you running?

BB-Martino: don't get me wrong, not saying i actually understand. it's weird.

38.0

i know where the certdb is stored, or i used to..

the point is, it's a common place, no?

but you don't generally want to start messing around.

if it was simply messed up, then my other browsers should fail too

it might be a function of profile

because you are allowed to edit it, after all

but it's only this one running under a separate userid. and it's not even 'running under a separate userid' because my other separate browser works fine too. it's just 1 out of 3 that doesn't.

whatever profiel setting it is, it's definitely not under ~/.mozilla otherwise me removing the dirs should have made a difference

so now i'm pretty much out of ideas

meanwhile i'd like to move on and verify this guy's bank acct :)

ok. yes i'm quite confused by that, if you wiped ~/.mozilla

can you not manually check the cert in the pgsg?

i mean get the fingerprint.

but hey that is a big pain for sure

but the plugin also checks that the content in it matches up to the crypto, right?

simply checking the cert and checking the content separately is pointless

yeah but i thought you were saying you can't get it to verify because the cert isn't verified by firefox?

someone could just add the bank cert and change the sort/acct in the content

well i can't get it to verify under the separate uid

i re-enabled the plugin in my usual browser too by the way, where certs work

but when i load the .pgsg

it doesn't do anything

and when i click Import

again, nothing

of course it verifies the entire content, don't worry about that :)

so i can't use pagesigner now, for various reasons

yes, that's the same issue we had before (although for a different reason). if the cert doesn't verify it won't show the content.

it doesn't do anything under my usual uid, and the certs are messed up under the other one

but it should verify under the other acct, because https://tlsnotary.org loads fine too

and it's worked before

so under your normal id, you think the certs *aren't* messe dup

but it nevertheless fails to import, is that it?

they aren't, your site with a comodo cert loads fine

and it used to verify all pgsgs

now all of a sudden it just stops doing anything

so the plugin now won't load any pgsg file?

nop

Skip Cert Error :: Add-ons for Firefox - Mozilla Add-ons

addons.mozilla.org › Add-ons for Firefox › Extensions

Rating: 4.5 - ‎22 votes - ‎Free

This Firefox extension enables skipping the SSL/TLS certificate error page, for specific configurable .... This frame prevents back/forward cache problems in Safari.

hahaha

a plugin to skip cert errors, that's somethin'

:)

so will the plugin load any pgsg files?

well no.

now i can't even re-download pagesigner to the other browser instance

becauser it complains about a connection error

when i click 'allow' in FF

right, that's the other one, where the tlsnotary cert is not being accepted

there is a hack to get round that

but i was more interested in whether it still worked in a browser that has a "proper" certdb

nop

and yes, i still have no idea what causes that, it's most disturbing

right, but again, can you load *any* pgsg file in your normal browser?

or is it just this one that fails

ZOMG

i just solved the cert problem

you know what i effin did?

I unticked 'Query OCSP responder servers to confirm the current validity of certificates' in the settings

and now tlsnotary.org loads fine.

ah

yes that is a can of worms, eh

but

i have it ticked in my other browser

so one more thing that doesn't make sense

grrr

right. but that's a huge step forward in understanding, so thanks.

wait let me re-tick it

and see if it gets screwed up again

now it works, still.

i see. so pretty much a bug then.

"The add-on could not be downloaded because of a connection failure"

is what it says when i try to install it now

yes that happens if the tlsnotary cert is not trusted

but

i thought that was the original error?

i didn't get a warning popup this time

oh wait

maybe i stored it

d'oh!!!

i did

this had nothing to do with the tick, sorry

so currently your "separate" browser has this cert problem, but do pgsg files load in your "normal" browser?

they used to, but not anymore

right, so none at all. we should try to fix this first I think.

i've had this alt-browser-sucks problem for a while and would just always just use my usual one

i just sanity checked, the notary server is still up.

re-enabling the plugin

but right now if i do 'verify pgsg file' i get the dialogue, select the file, and then nothing

if you could turn on verbose logging and read the browser console with logging and JS enabled

when i go to manage files, click 'import', i don't even get the dialogue to select the file

k

sec

turn on verbose logging in the "preferences" for the addon

everything seems to be working normally here; export works, notarize works. i'll try import. FF38 ubuntu

13:32:06.217 Array [ "got error in vtsh: certificate veri…" ]1 tlsn_utils.js:178

yeah, as expected i guess, certificate verification failure

also, it complains about "This site makes use of SHA-1 Certificate; it's recommended blah blah blah'

yeah don't worry that's normal

just Adam Langley on the rampage :)

can you do the parse-pgsg and send me the cert details maybe?

i'm just trying to think what i could do to check. hard to do debugging when all the info is so personal.

0.der, 1.der, 2.der ?

or the fullcert file?

all of them; although 0.der will be the one we want

also you can look at it with the openssl thing right, if you want

BB-Martino: that server is untrusted on my main firefox

go figure...

so it's just this specific .pgsg file?

well, i don't know, i just went to https://<that domain> and got untrusted cert

the date range seems fine, so it's not that

but .. hmm, it seems to me it *must* be trusted in the client's browser

i mean, assuming it's not a scam, which seems basically infeasible.

that's highly doubtable

when i load https://secure-business.tsb.co.uk/ it redirects me to secure-business.tsb.co.uk

no cert error

so it's likely only not trusted in your browser

huh that's weird. i did the same and got untrusted.

it kind of sucks that the more we try to debug, the more questions we have

well, that makes basically no sense. sigh.

and the more things that don't make sense

"The certificate is not trusted because the issuer certificate is unknown."

let me try on another machine fwiw

is there a script to manually check it?

i'll probably have time to debug this later

but now i've paused with my usual routine

and want to approve the guy's bank acct

FF28 on old ubuntu, the site loads fine. EV cert.

it's wonderful how PKI works so seamlessly.

manually check - let me have a think. i understand this should be easy...