Bob Schneider
asked on
SSL Issue: Your site is not private message
I had an issue with my ssl so I installed another certificate. I am still getting the same error. The site is gsetiming.com. Note that the issue isn't on the home page...I assume because that is just an html page. But most other pages give me the error most of the times. )I posted this on this site earlier but with a slightly different focus. I hope this is ok.)
Thanks in advance for your help.
Thanks in advance for your help.
The SSL certificate has been revoked which means it is no longer valid. I would talk to the SSL certificate provider to find out why it was revoked.
ssllabs thinks this:
https://www.ssllabs.com/ssltest/analyze.html?d=gtraxc.com (B at Best) Certificate revoked and/or not verifyable
https://www.ssllabs.com/ssltest/analyze.html?d=gsetiming.com (B at Best) Certificate Revoked and/or not verifyable
Your server(s) support INSECURE protocols. See the reports. (and are effectivly not secured). Some SSL protocols get deprecated and cannot be used anymore... and SHOULD be hard disabled.
According to SSLLabs the certificates are not revoked, but the appstores & mozilla think they are.... This is the expansion on that from SSLLabs:
https://www.ssllabs.com/ssltest/analyze.html?d=gsetiming.com#whyNotTrusted
Or maybe a problem with your CA:
ATQ is better: https://www.ssllabs.com/ssltest/analyze.html?d=atq%2dquality.com it's security leave a lot to be desierd as it only scores a B.
https://www.ssllabs.com/ssltest/analyze.html?d=gtraxc.com (B at Best) Certificate revoked and/or not verifyable
https://www.ssllabs.com/ssltest/analyze.html?d=gsetiming.com (B at Best) Certificate Revoked and/or not verifyable
Your server(s) support INSECURE protocols. See the reports. (and are effectivly not secured). Some SSL protocols get deprecated and cannot be used anymore... and SHOULD be hard disabled.
According to SSLLabs the certificates are not revoked, but the appstores & mozilla think they are.... This is the expansion on that from SSLLabs:
https://www.ssllabs.com/ssltest/analyze.html?d=gsetiming.com#whyNotTrusted
Or maybe a problem with your CA:
$ openssl s_client -connect gtraxc.com:443 -crl_check_all
CONNECTED(00000003)
depth=0 CN = www.gtraxc.com
verify error:num=3:unable to get certificate CRL
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA DV SSL CA 2018
verify error:num=3:unable to get certificate CRL
verify return:1
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify error:num=3:unable to get certificate CRL
verify return:1
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA DV SSL CA 2018
verify return:1
depth=0 CN = www.gtraxc.com
verify return:1
---
....
$ openssl s_client -connect gtraxc.com:443 -crl_check_all -verify_return_error
CONNECTED(00000003)
depth=0 CN = www.gtraxc.com
verify error:num=3:unable to get certificate CRL
140158703531840:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 3556 bytes and written 319 bytes
Verification error: unable to get certificate CRL
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID: 860900001B75740D6B4F3B4725B90B3E62F855589BC66DB594C031F66EF26EFF
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1611530330
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
ATQ is better: https://www.ssllabs.com/ssltest/analyze.html?d=atq%2dquality.com it's security leave a lot to be desierd as it only scores a B.
it's security leave a lot to be desierd as it only scores a B.
But then again, so does
Google.com
Facebook.com
Amazon.com
Microsoft.com
In fact, it's more common than not but that will change at some point
Using the SSLabs it can quickly be transformed to A, possibly A+...
(Google & Facebook succeptable to POODLE... think not).
They still allow for TSL1.0 and TLS 1.1.... that will probably be remoed in the comming months.
The above mentioned sites still allow RC4 which has been broken some time ago....
(Google & Facebook succeptable to POODLE... think not).
They still allow for TSL1.0 and TLS 1.1.... that will probably be remoed in the comming months.
The above mentioned sites still allow RC4 which has been broken some time ago....
The above mentioned sites still allow RC4 which has been broken some time ago
Agreed, though Facebook.com using it (even only with older protocols) was surprising
Microsoft.com not supporting Forward Secrecy wasn't really that much of a surprise :\
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Facebook caring about privacy and security?... that would be new.
Same for Microsoft actually caring for security of others.
Same for Microsoft actually caring for security of others.
+1 for noci's comment about Facebook + Microsoft.
https://www.ssllabs.com/ssltest/analyze.html?d=davidfavor.com provides a report of what I target for cert quality.
For now, you'll always have Cipher Strength 90 when running TLSv1.3 which I do because TLSv1.3 provides some speed benefits under certain circumstances.
Said differently, A+ is the minimum score I allow when I deploy a site.
This provides best user experience when accessing a site.
For now, you'll always have Cipher Strength 90 when running TLSv1.3 which I do because TLSv1.3 provides some speed benefits under certain circumstances.
Said differently, A+ is the minimum score I allow when I deploy a site.
This provides best user experience when accessing a site.
ASKER
David, do I have to do anything on iis other than install the née certificate? Also, are there instructions for installing in iis 10?
Anything you can tell me about “badly broken” would be much sooteviated
Thank you all!
Anything you can tell me about “badly broken” would be much sooteviated
Thank you all!
ASKER
Never midn that last comment. I see you gave me a site to look at for issues. Thank you!
Links for your site are already mention in this comment: https://www.experts-exchange.com/questions/29206157/SSL-Issue-Your-site-is-not-private-message.html#a43231196
(the result from yesterday are still there, unless you forced a rescan).
(the result from yesterday are still there, unless you forced a rescan).
My comments about breakage above.
To me, any < A+ score is broken, or rather, I only deploy A+ sites into the wild, as having an A+ score resolves many oddball edge conditions which can show up in browsers.
Whether Windows or Linux or OSX, you'll generate a cert once + install it, then setup a nightly CRON (or equivalent) job to run a the command...
Which will auto-magically renew all certs.
You service-bounce script will collect together all service restart commands required to ingest a new cert.
For example, this will usually include HTTPS + IMAPS + SQL or any other services which require a restart or reload each time a new cert becomes available... like when a renewal occurs...
To me, any < A+ score is broken, or rather, I only deploy A+ sites into the wild, as having an A+ score resolves many oddball edge conditions which can show up in browsers.
Whether Windows or Linux or OSX, you'll generate a cert once + install it, then setup a nightly CRON (or equivalent) job to run a the command...
certbot renew --non-interactive --no-self-upgrade --post-hook "service-bounce"
Which will auto-magically renew all certs.
You service-bounce script will collect together all service restart commands required to ingest a new cert.
For example, this will usually include HTTPS + IMAPS + SQL or any other services which require a restart or reload each time a new cert becomes available... like when a renewal occurs...
Also getting an A+ now, will deteriorate automatically to A then B due to deprecation of hashes and encryption methods.
ASKER