SSL问题<警告用户不安全,但SSL已应用> [英] SSL Issue < Warning Users Not Secure However SSL Applied>
问题描述
附件是comodo ssl上的一个阅读,所有这些都显示ok bar一点警告,我不确定真的会影响我们,因为我们已经有了这个。
你会建议什么?
谢谢
为了开始,您在该链接中提供的URL不是通配符卡子域名证书。
但主要问题是您不提供您的中间证书。
证书适用于一个网站,通常由一个或多个中间证书签名,然后由证书签发这是由Web浏览器预先安装和信任的。如果网络浏览器不能建立一个信任链接,它已经知道您将收到此错误。
网络服务器可以提供网站证书,或网站证书和中级证书。通常推荐后者,因为它有助于浏览器快速建立信任链。默认情况下,某些浏览器可能会在其信任存储区中出现一些中间证书,如果他们访问了使用它们的站点,或者甚至可以自动尝试下载中间证书,那么它们可能已经拥有这些信息。
所有这一切都可以通过 ssllabs.com服务器测试运行您的网站。这显示了相同的小警告,完整的信任链(实际上两个链可以为您的网站,但总是最好安装允许最短链的中间体)以及许多其他有用的SSL设置信息看起来非常好,除了这个缺少的中间证书问题)。
如何配置您的Web服务器返回中间证书取决于您的服务器。看起来你正在运行nginx(关闭服务器HTTP头,放弃软件信息btw是一个好主意,但这是一个单独的事情),所以通常你只需将中间和服务器证书连接成一个.crt文件(这些通常只是具有证书信息编码的文本文件)。有关详细信息,请参阅此处: http://nginx.org/en/docs/http /configuring_https_servers.html#chains 。
请注意,您也可以在服务器上配置太多的证书。哪个是浪费的努力例如,根证书不需要,因为这将在浏览器中。修复后,使用ssllabs.com重新测试以确认所有内容都很好。
Hi we have a PositiveSSL Wildcard Certificate for the URL which is installed on the server, and to the best of my Knowledge everything is ok, however over the course of launching, we have sent out 100,000 mailers of which so far 20,000 have re-signed up, however a few ppl have been in touch ref MIM attacks stating the site/application is unsecure, but as far as we can see we are not getting any notifications, and it appears only a few people are (specifically Chrome users) some mobile, some web-based.
Attached is a reading on the comodo ssl and all appears ok bar a little warning, which i am unsure really affects us as we have this in place already.
What would you advise?
Thanks
For a start the URL you've given in that link is not a wildcard card subdomain certificate.
However the main issue is that you are not providing your intermediate certs.
A cert is valid for a website, it is normally signed by one or more intermediate certs, which is then signed by a cert that is pre-installed and trusted by web browsers. If a web browser cannot build a chain of trust back to a cert it already knows about you will get this error.
A web server can provide the website certificate, or the website certificate AND the intermediate certificates. The latter is normally recommended as it helps browsers quickly build the chain of trust. Some browsers might ha e some intermediate certs in their trust stores by default, might already have them if they have visited a site that uses them or might even automatically try to download intermediate certs but that's not guaranteed.
All this can be seen by running your website through the ssllabs.com server test. That shows the same "little warning", the full chain of trust (actually two chains are possible for your site but always best to install the intermediates which allow the shortest chain), and lots of other useful information about your SSL setup (which actually looks very good apart from this missing intermediate cert issue).
How you configure your web server to return the intermediate cert depends on your server. Looks like you are running nginx (it's a good idea to turn off server http headers that give away software info btw, but that's a separate matter) so normally you just concatenate the intermediate and server certs into one .crt file (these are usually just text files with cert information encoded). For more information see here: http://nginx.org/en/docs/http/configuring_https_servers.html#chains.
Note you can also configure too many certs on your server too. Which is wasted effort. The root cert is not needed for example as this will be in the browser. Retest using ssllabs.com after you fix it to confirm all looks good.
这篇关于SSL问题<警告用户不安全,但SSL已应用>的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
