[konqueror] [Bug 398682] New: ERR_INSECURE_RESPONSE with Valid Certificate and Trust Chain

Sat, 15 Sep 2018 11:36:55 -0700 

https://bugs.kde.org/show_bug.cgi?id=398682

            Bug ID: 398682
           Summary: ERR_INSECURE_RESPONSE with Valid Certificate and Trust
                    Chain
           Product: konqueror
           Version: 5.0.97
          Platform: Fedora RPMs
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: konq-b...@kde.org
          Reporter: stim...@comcast.net
  Target Milestone: ---

I am trying view this URL, but can't even get an index page with Konqueror:
https://devtalk.nvidia.com

The certificate and other details of SSL here are valid. This uses sha256, and
is signed and valid. So far as I know DigiCert (the signer) is one which is not
banned (though Google sold this off). The certificate is valid from Sept. 11,
2018 (it is now Sept. 15, 2018) until Sept. 12, 2020 (the date range is valid).
This does not seem to be a case of rejecting weaker protocols and despite 100%
validity in the chain, the site is refused with:
ERR_INSECURE_RESPONSE

It looks like konqueror has a bug parsing this. Konqueror should not mark this
as invalid. Since the ERR_INSECURE_RESPONSE is the only thing the browser gives
as information the only debugging I can perform is to report this as a bug. It
would be much more helpful if such an error message had the ability to give
verbose details of why a site is rejected (e.g., if it said the CA is not
accepted, then I would not need to report a bug...but if it says it is only
SHA1, then I could guarantee it is a bug).

All components of the Linux host (Fedora 27) are kept up-to-date, including SSL
and OpenSSH libraries. All other browsers I've tried from Linux accept this
site and suggest the certificate is authentic. The issue seems to be a bug in
konqueror, and not one of the certificate.

SHA-256 fingerprint:
90:49:6B:CE:BE:D5:1F:0E:57:CE:40:8C:A3:E1:A1:B0:5B:B2:CA:68:76:19:44:2B:A1:B0:5F:A2:56:05:EE:03

SHA1 fingerprint:
25:91:64:E5:DC:18:07:89:9C:F1:66:C2:46:84:99:42:37:E8:87:25

Perhaps the existence of a SHA1 fingerprint is causing Konqueror to not look
for SHA256? Is it forbidden to have SHA1 signature even when a valid SHA256
signature is in place?

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to