Closed
Bug 398210
Opened 17 years ago
Closed 17 years ago
onlineid.bankofamerica.com sending incomplete SSL certificate chain
Categories
(Tech Evangelism Graveyard :: Other, defect)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: nelson, Unassigned)
References
()
Details
The SSL server certificate for https://onlineid.bankofamerica.com/ was replaced (renewed) in August 2007. The new certificate is issued by an intermediate Verisign CA, but as of this writing, the server is not sending out the intermediate CA certificate. The server is sending only its own server cert, not a complete certificate chain. Consequently, when users of any browser except IE visit that web site, they get a bad certificate dialog, due to the incomplete certificate chain. IE users typically do not have this problem because IE saves a copy of all valid intermediate CA certificates that it encounters, and so is able to supply the missing intermediate CA certificate. According to the representative of the bank's Certificate Administration department in Dallas, with whom I spoke today, the bank is aware of the issue. The position stated to me included these points: - the site works with MS IE - the bank recommends that its users use only MS IE with their site - the proposed solution for users of other browsers is for those users to install the missing intermediate CA certificate in their browsers, so that they work like IE. A member of the customer service department informed me that the onlineid server has been superseded by https://sitekey.bankofamerica.com/sas/signonScreen.do That new server sends out a complete cert chain and does not exhibit the problem. So apparently the workaround, perhaps the solution, is for users to change their bookmarks to go to that new URL instead of the older onlineid site.
Comment 1•17 years ago
|
||
If the bank's attitude is "Use IE" at this point in time, after all the ridiculous vulnerabilities IE has been shown to have, I'm not sure there's a whole lot we can do to change it, but I also don't think this is a very serious problem since there's a workaround and the problematic server might, at some point, be going away. I think there are probably better ways to use our exceedingly limited TE resources than to worry too much about this bug.
I don't know enough to say, but would updating the "root certificates" have any bearing on this issue, or is it simply a misconfiguration on BoA's end, that would have to wait for them to resolve? "Microsoft root certificate program members (July 2007)" http://support.microsoft.com/kb/931125
Reporter | ||
Comment 3•17 years ago
|
||
For years, Verisign issued SSL server certificates whose issuer certificate was a root CA certificate that was already in all browsers. So, there was no need for any SSL server administrators who used Verisign SSL server certificates to ever install anything more than his server's certificate. But a year or two ago (IIRC), Verisign stopped issuing SSL server certs that were issued by that old root CA, and started issuing their SSL server certs from an intermediate CA, whose own cert was issued by a root CA that is found in all browsers. That change made it necessary for server admins to install both their new server cert AND ALSO the intermediate CA certificate in their servers, so that their servers would send out complete certificate chains that chain up to a root cert in the browser, as the SSL and TLS specifications require. One can get the missing Intermediate CA certificate from this URL: <http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html> One may read more about this problem and Verisign's advice on how to handle it at these Verisign URLs: <http://www.verisign.com/support/advisories/page_029264.html> <http://www.verisign.com/support/advisories/page_040601.html> <http://www.verisign.com/support/advisories/page_040611.html>
This now appears to be resolved. No longer does the certificate warning message pop-up. ------- Updating the "root certificates" did not have any affect. I was going to try what was mentioned here, https://bugzilla.mozilla.org/show_bug.cgi?id=327181#c116 to see if that would have worked, but alas, the chance did not present itself.
Reporter | ||
Comment 5•17 years ago
|
||
I agree. This is now WORKSFORME. To "Therube", here is another site you can use to try the new web site exception feature. https://www.biglumber.com/x/web?mp=1
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WORKSFORME
Updated•9 years ago
|
Product: Tech Evangelism → Tech Evangelism Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•