3

For some of my site visitors, the SSL certificate is failing. Whatever tests I do on various browsers for me the SSL certificate is valid.

I can't think of how to test this on client side, and to identify the problem.
How would you do this?

One client gets: fatal certificate unknown

Pentium10
  • 204,586
  • 122
  • 423
  • 502

2 Answers2

3

While RouMao's answer is mostly correct, he has missed what is (IME) the most common problem with SSL certificates - the certificate you are using requires an interim certificate from the CA which you have not included in your certificate chain. Most CAs provide an online tool for analysing the certificate - try the one located here.

Also, is there any correlation with which browser being used? Notably, Chrome does not handle SSL v2 by default

symcbean
  • 47,736
  • 6
  • 59
  • 94
  • I've used the tool to check the site and I've got this: http://screencast.com/t/BRfpmM6UF and http://screencast.com/t/S4CZ2Sw6JM and http://screencast.com/t/fmY68hcmyX what's wrong with the 1st and 3rd? – Pentium10 Apr 18 '11 at 19:45
  • The tool you mentioned ( http://www.networking4all.com/en/support/tools/site+check/ ) helped me to diagnose my obscure certificate installation issue. Thank You! – fviktor Jun 27 '11 at 02:53
0

Most of the failing of SSL certificates were caused by visitors themselves. Somehow could not tests or verified by server implementation.

Here are some obvious examples:

  1. Your cert is validated since April 1st 2012, but the client's local machine time is set to 2010 -- one year later than current time. In this case, the visitor should encounter problem all the times, until his machine time is later than April 1st 2012.
  2. visitor is behind a restricted firewall. The firewall could terminate the SSL/TLS connection and re-crypt the link with a pseudo/self-sign certificate. Indeed this could be considered as a man-in-middle attach.
  3. The Trusted Root Certification was removed by client himself

it is very hard to fix all these problem. Sometimes, you need to create a client side native application to detect or fix all the possible problems, and require client browser to execute the application each time before it enter the HTTPS mode.

P.S. most of the e-bank application do like this.

Yi Zhao
  • 6,768
  • 1
  • 18
  • 18