Resolved SSL Cert Blocked at work

thepaul500

Level 2 Member
#1
Something about the security cert being out of date or incorrect. I highly doubt work has singled this out, though I do spend quite a bit of time here...

Anyways, fix that. K thanks.

*Note, I don't care if its the site' fault or my company's restrictive access policies, I would like you to fix it either way.*
 

Matt

Administrator
Staff member
#2
Something about the security cert being out of date or incorrect. I highly doubt work has singled this out, though I do spend quite a bit of time here...

Anyways, fix that. K thanks.

*Note, I don't care if its the site' fault or my company's restrictive access policies, I would like you to fix it either way.*
Retire.
 

thepaul500

Level 2 Member
#4
Hmmm, weird. On IE it says problem with security cert, chrome won't even allow it to open. Maybe that retire solution was right...but I thought this wasn't supposed to be an early retirement forum?
 

SomeRandomGuy

Nerd, Poet, Warrior
#6
The cert. does validate fine for me too, don't see any issues with the CA or the way it was signed. It's served via TLS 1.2, which is good. Ancient (as in pre-IE 6 ancient) versions of IE will have issues since modern web servers won't support some older SSL protocols that are broken like SSLv1/SSLv3. That's doubtful, though, esp. if Chrome is barking. Chrome's really strict.

Does your work environment have a proxy? Proxies can really mess with SSL so a client can interpret that as an MITM attack or do other things that could cause issues. If its properly configured it shouldn't try to proxy https/SSL at all, since there's no way to do that securely.
 
Last edited:

SomeRandomGuy

Nerd, Poet, Warrior
#7
Because I have no social skills, I also decided to inspect the http headers sent to the client and note that the web server is actually using good security practices. The cookies it sends are httpOnly (protecting against some kinds of bad JS attacks). The site-specific cookie is sent with the 'secure' flag, also good. And there's an 'X-Frame-Options: SAMEORIGIN' header which protects against clickjacking. Not really relevant to SSL/cert blocking issues, but good to see the bases are being covered.

Sorry to drop a nerd-bomb.
 
Last edited:

thepaul500

Level 2 Member
#8
I understood all of that Nick Burns.

I believe my avatar sums up my understanding of everything that was just said. I think we can say with 104.2% certainty that it is my work doing something annoying, and rather than dig deeper, I'll just use IE/Opera and click through the warnings.

To sum it up and close out this: Chrome no worky. IE kinda worky. My worky is wonky. #l0lZ or something.
 

swazzie

Level 2 Member
#9
I understood all of that Nick Burns.

I believe my avatar sums up my understanding of everything that was just said. I think we can say with 104.2% certainty that it is my work doing something annoying, and rather than dig deeper, I'll just use IE/Opera and click through the warnings.

To sum it up and close out this: Chrome no worky. IE kinda worky. My worky is wonky. #l0lZ or something.
You're not alone, @thepaul500. My work place's internet filter started blocking the site this week, too. There was at least one problem with the certificate earlier this week with IE (the web site name on the cert didn't match saverocity.com, which is a big no-no). I see that's fixed now and hopefully I can open the site from work today to catch up on the last few days of posts.
 

Matt

Administrator
Staff member
#10
You're not alone, @thepaul500. My work place's internet filter started blocking the site this week, too. There was at least one problem with the certificate earlier this week with IE (the web site name on the cert didn't match saverocity.com, which is a big no-no). I see that's fixed now and hopefully I can open the site from work today to catch up on the last few days of posts.
Hope so! We've a large readership from people who should actually be working.. sorry to mess with your day. Let me know if its any better today.
 

MickiSue

Level 2 Member
Supporter
#11
If not retire...become self-employed. Then the only way management can lock out any site is if you do it yourself.

That's what I did with FB, back in the day. A worse time suck, I could NOT imagine.
 

SomeRandomGuy

Nerd, Poet, Warrior
#13
Oddly, I got a couple SSL errors at work today, mostly just the stylesheet not loading. I was too busy with work-related activities to spend much time looking into it, though. I guess I should retire too.
 

Matt

Administrator
Staff member
#14
We've made a number of changes, and brought in backward compatible protocols. I think this should cover most instances, but please let me know if there are further problems. We now support:

Handshake Simulation
Android 2.3.7 No SNI 2 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Android 4.0.4 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256
Android 4.1.1 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256
Android 4.2.2 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256
Android 4.3 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256
Android 4.4.2 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) FS 256
Android 5.0.0 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128
Baidu Jan 2015 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256
BingPreview Jan 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) FS 256
Chrome 40 / OS X R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128
Firefox 31.3.0 ESR / Win 7 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128
Firefox 35 / OS X R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128
Googlebot Feb 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128
IE 6 / XP No FS 1 No SNI 2 Protocol or cipher suite mismatch Fail3
IE 7 / Vista TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256
IE 8 / XP No FS 1 No SNI 2 TLS 1.0 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) No FS 112
IE 8-10 / Win 7 R TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256
IE 11 / Win 7 R TLS 1.2 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) FS 256
IE 11 / Win 8.1 R TLS 1.2 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) FS 256
IE Mobile 10 / Win Phone 8.0 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256
IE Mobile 11 / Win Phone 8.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128
Java 6u45 No SNI 2 Client does not support DH parameters > 1024 bits Fail3
Java 7u25 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128
Java 8u31 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128
OpenSSL 0.9.8y TLS 1.0 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) FS 256
OpenSSL 1.0.1l R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) FS 256
OpenSSL 1.0.2 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) FS 256
Safari 5.1.9 / OS X 10.6.8 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256
Safari 6 / iOS 6.0.1 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256
Safari 6.0.4 / OS X 10.8.4 R TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256
Safari 7 / iOS 7.1 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256
Safari 7 / OS X 10.9 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256
Safari 8 / iOS 8.1.2 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256
Safari 8 / OS X 10.10 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256
Yahoo Slurp Jan 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) FS 256
YandexBot Jan 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) FS 256
 

jonasan

Level 2 Member
#19
Wow, for a while I was getting e-mails, but when I tried getting on the site it wouldn't work (not tech savvy so I had no idea why)... but now it works again!
 

Matt

Administrator
Staff member
#21
woohoo - I'm back, too :)
works for me now too!
Wow, for a while I was getting e-mails, but when I tried getting on the site it wouldn't work (not tech savvy so I had no idea why)... but now it works again!
oh my goodness i miss you the forum!!!!
Sorry folks - I wasn't aware that it was a problem for so many people until recently and we've been busting our butts over the weekend trying to figure out the solution. Glad to see you back here!
 

swazzie

Level 2 Member
#22
No longer blocked at work! I had checked earlier this week and was still blocked. I think the redirect issue has also cleared up. Thanks for working to make the site more secure.
 
#24
Hmm and I always thought I'd be the only one with this issue. Kept on being blocked with my old Win XP machine at work. I definitely can rule out it being a block as I'm in charge of everything here and there's no kind of any hard or soft blocks. I figured it was the discontinued support of XP from MSFT and thus not updating the proper Chrome protocols or something. The forum seems to work now again on that particular machine so I guess the problem was on this side indeed.
 

Matt

Administrator
Staff member
#25
Hmm and I always thought I'd be the only one with this issue. Kept on being blocked with my old Win XP machine at work. I definitely can rule out it being a block as I'm in charge of everything here and there's no kind of any hard or soft blocks. I figured it was the discontinued support of XP from MSFT and thus not updating the proper Chrome protocols or something. The forum seems to work now again on that particular machine so I guess the problem was on this side indeed.
It was legacy TLS support...
 

BigHabitat

Level 2 Member
#28
Wow, saw this thread highlight in the newsletter. I thought the work related issues were specific to my company and not a larger issue. It's a pain when you can't access the forum at work - it's a huge pain when you can't create blog posts! Forum working, but the old version of IE we use at work basically cripples wordpress editing (not blocked, but unusable nonetheless)
 

Someone

Level 2 Member
#29
Weird, for a minute there I got an SSL error and when I looked at the cert it said dm2.fastdomain.com for the hostname. I was reading the new t-mo card wiki and clicked to page two, so it wasn't a typo on my part. I reloaded a few minutes later and got the saverocity.com cert this time.

I'm at home on fios, no filtering, current chrome on win7. Maybe you're working on the ssl stuff still?
 

Matt

Administrator
Staff member
#30
Weird, for a minute there I got an SSL error and when I looked at the cert it said dm2.fastdomain.com for the hostname. I was reading the new t-mo card wiki and clicked to page two, so it wasn't a typo on my part. I reloaded a few minutes later and got the saverocity.com cert this time.

I'm at home on fios, no filtering, current chrome on win7. Maybe you're working on the ssl stuff still?
Yeah sorry- I'm in the process of migrating DNS which caused that. There might be one more bump like that but I am trying to do that at a quiet time.

  1. I discovered that cloudflare (CF) was kicking off the EV cert.
  2. I turned off CF which fixed the EV cert.
  3. Fixing the EV cert kicked off work access and all social media integration as it runs on old technology.
  4. Fixed the access and integration by adding in legacy protocols
  5. Tried to upgrade mailing system today and discovered I needed to access DNS
  6. Remembered DNS hadn't yet migrated away from Bluehost.
  7. Went to Bluehost to warm up the txf so I could migrate zone, noticed that CF was running as nameservers.
  8. Swapped from CF to Bluehost Nameservers so the migration would be clean.
  9. Caused that situation you saw.
So I kicked up a fuss just getting ready to kick up a fuss.

Technology is brilliant.
 
Top