Scheduled maintenance - May 31st 2015

[Rys]

I'll be taking the forums down for about half an hour tomorrow sometime, not sure when, to perform some security related updated and roll out integration with @Arwin's Tech In Games website.

Arwin will write something to let you all know how to use the integration in due course.

Security wise, I'm installing a new TLS certificate with SHA256 fingerprint and intermediate chain to help appease our Google overlords and keep Chrome happy with the site. It shouldn't affect any other clients, but please do let me know if it does.

The new certificate expires on May 29th 2017, so if you want to know if you're being served it correctly, check for that expiry date plus a SHA256 fingerprint in your client wherever you're able.

Sorry I can't be more specific as to when, busy day tomorrow..

 

[Rys]

Done, let me know if you see any issues.

 

[3dilettante]

I'm not sure if this is an issue, but for me Chrome is warning about the use of SHA-1 signatures.

 

[Rys]

Someone else reported the same thing earlier. What version of Chrome and what OS? I'll look into it.

 

[3dilettante]

Windows 7 sp1
Chrome version 43.0.2357.81

 

[Rys]

Excellent, thanks. Can you also paste or screenshot the certificate details? The fingerprint/signature is the key thing.

 

[Malo]

Certificate seems fine to me on Chrome 43.0.2357.81 / Windows 7 64-bit

 

[3dilettante]

Version: V3
Serial: ‎07 65 ea 0a 40 3d 2b
Signature algorithm: sha256RSA
Signature hash alg: sha256
Issuer:
CN = StartCom Class 2 Primary Intermediate Server CA
OU = Secure Digital Certificate Signing
O = StartCom Ltd.
C = IL

Valid from: ‎Saturday, ‎May ‎30, ‎2015 11:21:27 AM
Valid to: Tuesday, ‎May ‎30, ‎2017 10:21:03 AM

Subject:
...(snipped for brevity, unless needed)

Public key: RSA 4096 bits
(snipped)

Basic constraints:
Subject Type=End Entity
Path Length Constraint=None

Key usage: Digital Signature, Key Encipherment, Key Agreement (a8)
Enhanced key usage:
Client Authentication (1.3.6.1.5.5.7.3.2)
Server Authentication (1.3.6.1.5.5.7.3.1)

Subject Key ID:
56 d9 99 6c 35 0b 8e 33 84 20 ce 7b 0a a7 d8 a1 05 49 ec 5e
Authority Key ID:
KeyID=11 db 23 45 fd 54 cc 6a 71 6f 84 8a 03 d7 be f7 01 2f 26 86
Subject Alternative Name:
DNS Name=www.beyond3d.com
DNS Name=beyond3d.com
DNS Name=forum.beyond3d.com

Certificate Policies:
[1]Certificate Policy:
Policy Identifier=2.23.140.1.2.2
[2]Certificate Policy:
Policy Identifier=1.3.6.1.4.1.23223.1.2.3
... (snipped)

CRL Distribution Points:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://crl.startssl.com/crt2-crl.crl

Authority Information Access:
Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
Alternative Name:
URL=http://ocsp.startssl.com/sub/class2/server/ca
[2]Authority Info Access
Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
Alternative Name:
URL=http://aia.startssl.com/certs/sub.class2.server.ca.crt

Issuer Alternative Name:
URL=http://www.startssl.com/

Thumbprint algorithm: sha1
Thumbprint: ‎f3 35 41 91 20 96 e5 0e e9 22 b9 4a bc d8 e4 b5 52 c2 42 55

 

[Rys]

Ah, I see what's happening. There's a SHA1 intermediate certificate in the chain, I think cached from the old cert chain I just replaced.

I'll do a bit of research into how to get around that properly.

 

[Rys]

I've replaced the certificate chain with a new one that has a different intermediate certificate, that might help Windows/CryptoAPI use a SHA256 version of the CA's root, just making the entire chain SHA256-fingerprinted, and thus keep Chrome happy. Try refreshing the forums in your browser (you probably have to anyway to read this post) and see if Chrome's happy now.

If not, I'll do some more digging (seems like a common problem with Chrome on Windows and StartCom-supplied certs).

 

[3dilettante]

Chrome seems to be happy now for me.

 

[Rys]

Excellent, that chain is valid for a good while.

 

[Arwin]

Yep, looks good here too! Noticed it today, and was just going to mention it.