GlobalSign Intermediate SSL Certificates missing.

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
terranigma

GlobalSign Intermediate SSL Certificates missing.

Unread post by terranigma » 2019-01-31, 15:15

Some GlobalSign intermediate plugins missing on default install.

For instance, the site below is not working without "Organization Validation CA - SHA256 - G2"

https://hmb.gov.tr

Certificates are here:
https://support.globalsign.com/customer ... rtificates

PaleMoon Version: 28.3.0, x86_64

User avatar
Night Wing
Knows the dark side
Knows the dark side
Posts: 5151
Joined: 2011-10-03, 10:19
Location: Piney Woods of Southeast Texas, USA

Re: GlobalSign Intermediate SSL Certificates missing.

Unread post by Night Wing » 2019-01-31, 18:38

I clicked on your link and the site is working for me. At least I think it is working since I don't speak or write whatever language is being used. I clicked on all the sublinks too. Everything displayed properly.

So please explain what is "not working".

And I'm using 64 bit linux Pale Moon 28.3.1 running in 64 bit linux Mint 19.1 (Tessa) Xfce.
Linux Mint 21.3 (Virginia) Xfce w/ Linux Pale Moon, Linux Waterfox, Linux SeaLion, Linux Firefox
MX Linux 23.2 (Libretto) Xfce w/ Linux Pale Moon, Linux Waterfox, Linux SeaLion, Linux Firefox
Linux Debian 12.5 (Bookworm) Xfce w/ Linux Pale Moon, Linux Waterfox, Linux SeaLion, Linux Firefox

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35478
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: GlobalSign Intermediate SSL Certificates missing.

Unread post by Moonchild » 2019-01-31, 19:59

Intermediate certificates have to be presented by the server when connecting to them, not built into clients -- and this site does this properly.
There is no reason this site will not work unless you, yourself, have distrusted the issuer in the browser (either in the certificate manager or by way of an extension).
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

terranigma

Re: GlobalSign Intermediate SSL Certificates missing.

Unread post by terranigma » 2019-02-01, 06:40

This is the result when I try with PM 28.3.0 on Devuan Linux x64. Installed from Steven Pusser repo.
I don't know what I'm doing wrong. If I add the intermediate cert manually, problem solves.
palemoon-1.png

User avatar
adesh
Board Warrior
Board Warrior
Posts: 1277
Joined: 2017-06-06, 07:38

Re: GlobalSign Intermediate SSL Certificates missing.

Unread post by adesh » 2019-02-01, 10:23

I'm also able to connect as well. On Mac, self built Pale Moon from latest master.

User avatar
therube
Board Warrior
Board Warrior
Posts: 1650
Joined: 2018-06-08, 17:02

Re: GlobalSign Intermediate SSL Certificates missing.

Unread post by therube » 2019-02-01, 12:21

Are you using an antivirus?

As a test, create a new, clean Profile.
Then try to load https://hmb.gov.tr/.

Did that work?

terranigma

Re: GlobalSign Intermediate SSL Certificates missing.

Unread post by terranigma » 2019-02-01, 14:01

therube wrote:Are you using an antivirus?
As a test, create a new, clean Profile.
Always testing with clean profile. I'm not using antivirus because I'm using Linux.


These are the Globalsign root certs on default install:
palemoon-certs-1.png

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35478
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: GlobalSign Intermediate SSL Certificates missing.

Unread post by Moonchild » 2019-02-01, 18:23

In the "add exception" window, you will have the opportunity to view the presented certificates. Can you provide the details of the presented certificates, please?
(CN, issuer, etc.)
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

terranigma

Re: GlobalSign Intermediate SSL Certificates missing.

Unread post by terranigma » 2019-02-03, 00:17

Moonchild wrote:In the "add exception" window, you will have the opportunity to view the presented certificates. Can you provide the details of the presented certificates, please?
(CN, issuer, etc.)
It seems the problem is related with something else. Probably a dns or network topology issue since Firefox has same issue as well. And if I only use the network/dns at work. Interestingly, Chromium is immune of such issue on same network.

If I use regular internet from my ISP, problem doesn't exist. So,I acknowledge that this is not a missing certificate issue.

If you still interest on given certification information from site, it is here:
2019-02-02-192001_672x664_scrot.png

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35478
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: GlobalSign Intermediate SSL Certificates missing.

Unread post by Moonchild » 2019-02-04, 22:29

Thanks for the cert info -- that indeed does look OK so shouldn't be the problem. I'm assuming this is the cert from your normal ISP that doesn't have the problem?
It's likely in that case that your work has a decrypting proxy in use (endpoint security or AV or similar) that presents a different cert so it can intercept https traffic.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

terranigma

Re: GlobalSign Intermediate SSL Certificates missing.

Unread post by terranigma » 2019-02-05, 00:16

Moonchild wrote:Thanks for the cert info -- that indeed does look OK so shouldn't be the problem. I'm assuming this is the cert from your normal ISP that doesn't have the problem?
It's likely in that case that your work has a decrypting proxy in use (endpoint security or AV or similar) that presents a different cert so it can intercept https traffic.
Actually not. That screenshot is from a problematic session. If it is a proxy or security av that forcing its own certificate, Chromium should have same issue as well but not. Only Firefox and Pale Moon have this issue, though not tried any other Mozilla based browser.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35478
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: GlobalSign Intermediate SSL Certificates missing.

Unread post by Moonchild » 2019-02-05, 00:45

terranigma wrote:If it is a proxy or security av that forcing its own certificate, Chromium should have same issue as well but not.
Not necessarily. I don't know if Chromium automatically imports certs from the Windows trust store or not, but if so, then it's possible the security software installed the required intermediates in the Windows store. Since we use our own trust store, (and Firefox likewise, probably), it wouldn't be picked up automatically.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

terranigma

Re: GlobalSign Intermediate SSL Certificates missing.

Unread post by terranigma » 2019-02-05, 01:05

Moonchild wrote:
terranigma wrote:If it is a proxy or security av that forcing its own certificate, Chromium should have same issue as well but not.
Not necessarily. I don't know if Chromium automatically imports certs from the Windows trust store or not, but if so, then it's possible the security software installed the required intermediates in the Windows store. Since we use our own trust store, (and Firefox likewise, probably), it wouldn't be picked up automatically.
Does this explain why problem solves if I add the GlobalSign intermediate certs manually which are already presented by the server?

Locked