0002333: zandronum.com doesn't present intermediate certificate, leading to no trust chain

Chat on our Discord Server Get the latest version: 3.2
Source Code

View Issue Details [ Jump to Notes ]

[ Issue History ] [ Print ]

Project

Category

View Status

Date Submitted

Last Update

0002333

Site

[All Projects] Bug

public

2015-06-28 07:33

2018-12-01 06:44

Reporter

thanatos

Assigned To

Blzut3

Priority

normal

Severity

minor

Reproducibility

always

Status

closed

Resolution

fixed

Platform

amd64

Gentoo Linux

OS Version

Summary

0002333: zandronum.com doesn't present intermediate certificate, leading to no trust chain

Description

Attempting to wget or curl from zandronum results in the following:

% wget 'https://zandronum.com/downloads/zandronum2.1-linux-x86_64.tar.bz2'
--2015-06-28 00:24:42-- 'https://zandronum.com/downloads/zandronum2.1-linux-x86_64.tar.bz2 [^]'
Resolving zandronum.com... 76.74.158.193
Connecting to zandronum.com|76.74.158.193|:443... connected.
ERROR: cannot verify zandronum.com's certificate, issued by ‘/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA’:
Unable to locally verify the issuer's authority.
To connect to zandronum.com insecurely, use `--no-check-certificate'.

This is because the leaf certificate for zandronum.com is signed by an intermediate certificate; the webserver needs to be configured to send the intermediate certificate as well as the leaf certificate. You can see this issue on SSLLabs, as well:

'https://www.ssllabs.com/ssltest/analyze.html?d=zandronum.com [^]'

> This server's certificate chain is incomplete.

> Certificates provided 1 (1862 bytes)
> Chain issues Incomplete

This can affect Firefox (and I think, Chrome) too. Firefox appears to store intermediate certificates that it happens to run across, so because I happened to see StartCom's intermediate cert from somewhere else on the 'net, zandronum.com works. If, however, I open a brand-new profile,

% firefox -new-instance -profile ./some-empty-directory

and only browse to zandronum.com, I see:

> You have asked Aurora to connect securely to zandronum.com, but we can't confirm that your connection is secure.

Steps To Reproduce

wget 'https://zandronum.com/downloads/zandronum2.1-linux-x86_64.tar.bz2'

Additional Information

I run Gentoo, so I make ebuild files (Gentoo's equivalent of .deb) for Zandronum. ebuilds download directly from the source, so they need to download from zandronum.com, but can't, due to this error.

I highly recommend taking a look at the SSLLabs page: you should stop using SSLv3 too. :-)

Attached Files

Relationships

Notes
(0012826) Blzut3 (administrator) 2015-07-01 09:04	Good enough now?

(0012827) thanatos (reporter) 2015-07-01 23:51	That was quick! Yes, looks all fixed now, and curl/wget/portage can download. (And wow, that score on SSLlabs is much improved.)

**Issue Community Support**
This issue is already marked as resolved. If you feel that is not the case, please reopen it and explain why.
Supporters:	No one explicitly supports this issue yet.
Opponents:	No one explicitly opposes this issue yet.

Issue History
Date Modified	Username	Field	Change
2015-06-28 07:33	thanatos	New Issue
2015-07-01 09:04	Blzut3	Assigned To	=> Blzut3
2015-07-01 09:04	Blzut3	Status	new => assigned
2015-07-01 09:04	Blzut3	Note Added: 0012826
2015-07-01 09:04	Blzut3	Status	assigned => feedback
2015-07-01 23:51	thanatos	Note Added: 0012827
2015-07-01 23:51	thanatos	Status	feedback => assigned
2015-07-01 23:54	Blzut3	Status	assigned => resolved
2015-07-01 23:54	Blzut3	Resolution	open => fixed
2018-12-01 06:44	Blzut3	Status	resolved => closed

Questions or other issues? Contact Us.

Links

Doom and Doom II are the property of id Software.