certificate issues!

[blackkatt]

Hi guys!

I'm trying out the new 1.0.0 version. When Sab is first launched I get this

Your connection is not secure

The owner of 127.0.0.1 has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

127.0.0.1:8014 uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. The certificate is only valid for SABnzbd

then if you add it as exception it says this

could not verify this certificate because it was signed using a signature algorithm that was disabled because that algorithm is not secure.

its seem that using a disabled algorithm for being insecure its the same as having no SSL at all, so please fix

PS: I created my own cert for now. So no need recommend doing that

[shypike]

We've never used valid certificates, because that is impossible to.
All we can do is generate a self-signed certificate which you have to approve in your browser.
It's been like this for years.
Having a self-signed certificate is better than nothing.
Interception is not that easy, because the browser will not accept a modified certificate.

You're likely seeing the warning again because we switched from "localhost" to "127.0.0.1" as default host.
BTW: using HTTPS on a local-only connection is overkill.

[blackkatt]

You are missing the point

"could not verify this certificate because it was signed using a signature algorithm that was disabled because that algorithm is not secure."

the self-signed /created cert is falud. Creating your own at http://www.selfsignedcertificate.com/ won't use an "disabled algorithm" =)

[safihre]

Interesting, what OS are you on?
I just tried it on Ubuntu with Firefox and it would still let me visit the page after adding the exception, no message about the signature algorithm.
Also on Win10 using Firefox and Chrome it doesn't mention anything about the signature.

Maybe Sander has an idea why there's a problem with the signatures? Do we use an old one? Seems pretty standard stuff in certgen.py.

[shypike]

It seems that we're using a outdated signing method.
We'll need to upgrade this in the next release, although it will only fix the issue for new installations.

@blackkat
1.0.0 will reuse certificates from 0.7.20, which have the same issue.

[sander]

Maybe Sander has an idea why there's a problem with the signatures? Do we use an old one? Seems pretty standard stuff in certgen.py.

Nope; I just tested it on Windows, and for me it works with Chrome, Firefox and IE. Well ... as long as you order your browser to accept the invalid certificates.

[blackkatt]

Interesting, what OS are you on?
I just tried it on Ubuntu with Firefox and it would still let me visit the page after adding the exception, no message about the signature algorithm.
Also on Win10 using Firefox and Chrome it doesn't mention anything about the signature.

it will, u just have to look. in firefox get to "page info/security" then view certificate

It seems that we're using a outdated singing method.
We'll need to upgrade this in the next release, although it will only fix the issue for new installations.

@blackkat
1.0.0 will reuse certificates from 0.7.20, which have the same issue.

that's why I signed my own, but you could always inform users about it, i bet they would like to know
thnx for the fast replay, its always nice with devs that listens. no idea when they disabled that algo, but we all have had this problem sense then and non has notice hehe.

[shypike]

Blackkatt is right.
We'll fix this.

[sander]

Blackkatt is right.
We'll fix this.

SP, can you explain what the problem is? "Outdated" is the cause? If so: it looks OK on my system:

Code: Select all

Issued On	Tuesday, July 8, 2014 at 10:41:39 PM
Expires On	Friday, July 5, 2024 at 10:41:39 PM

[safihre]

The signing algorithm that was used to create them, according to Firefox.

[sander]

The signing algorithm that was used to create them, according to Firefox.

Strange; my Firefox 45.0 has no problems after I confirm I want to add https://127.0.0.1:9090/ as an exception.

@safihre: are you able to reproduce it with your Firefox?

[shypike]

Chrome says:
"The Server's certificate is signed using a weak signature algorithm."

Enough said: will be fixed in 1.0.1 or 1.1.0