[Falkon] [Bug 393480] SSL Error: Server's certificate does not match the URL

Thu, 04 Apr 2019 11:40:00 -0700 

https://bugs.kde.org/show_bug.cgi?id=393480

jltrinchard <jimmy.trinch...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jimmy.trinch...@gmail.com

--- Comment #5 from jltrinchard <jimmy.trinch...@gmail.com> ---
I had the same problem while visiting reputable sites, and I couldn't reproduce
the problem on Chromium and Firefox.  Nevertheless, I found out that my DNSBL
on pfBlockerNG was causing the issue.  

By launching Falkon from the terminal, I would get the following:

[7645:7663:0404/123334.261921:ERROR:cert_verify_proc_nss.cc(944)]
CERT_PKIXVerifyCert for www.google-analytics.com failed err=-8102
[7645:7661:0404/123434.553688:ERROR:cert_verify_proc_nss.cc(944)]
CERT_PKIXVerifyCert for www.googletagservices.com failed err=-8102
[7645:7663:0404/123436.621166:ERROR:cert_verify_proc_nss.cc(944)]
CERT_PKIXVerifyCert for www.googletagmanager.com failed err=-8102
[7645:7662:0404/123523.083457:ERROR:nss_ocsp.cc(614)] No URLRequestContext for
NSS HTTP handler. host: ocsp.digicert.com
[7645:7662:0404/123523.083538:ERROR:nss_ocsp.cc(614)] No URLRequestContext for
NSS HTTP handler. host: crl4.digicert.com
[7645:7663:0404/123525.908547:ERROR:cert_verify_proc_nss.cc(944)]
CERT_PKIXVerifyCert for collector.githubapp.com failed err=-8102

That would be from visiting
https://www.reddit.com/r/kde/comments/azva4r/falkon_ssl_certificate_error/ and
other places.

The certificates shown in KDE's SSL Preferences and the Kleopatra/GnuPG logs
looked fine.  I also don't have any NTP-related issues.  After checking the
DNSBL logs, I realized that pfBlockerNG's DNS blacklist was causing the issue. 
It redirects unwanted traffic to a private IP address which has a web server
hosting a basic page and its own certificate.  

Firefox and Chromium silently ignore the SSL error, and I didn't add any
certificate exception for the DNSBL address.  On the other hand, Falkon brings
up the SSL certificate error window.  After adding an exception whenever a
unique domain name becomes blacklisted, the exceptions become cleared after
restarting Falkon. :(

So, presumably if a user is running pfBlockerNG, a similar DNSBL service, or
blocks domains using some hosts file, then they'll probably encounter OP's
problem.

I hope that was helpful.  I left the status as 'REPORTED' instead of
'CONFIRMED' because my explanation probably doesn't cover all scenarios that
lead to OP's issue.

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to