http://files.hoffie.info/opera-1.png http://files.hoffie.info/opera-2.png opera-9.51, no special settings, CACert root cert imported (I get the warning no matter what).
jer: Why is Opera calling AES256-SHA insecure?
(In reply to comment #1) > jer: Why is Opera calling AES256-SHA insecure? It isn't. It's calling https://bugs.gentoo.org/ insecure because apparently it doesn't quite understand ca-cert...
Created attachment 163353 [details] 2008-08-20-065931_907x630_scrot.png I guess not trusting non-trusted CAs is the norm in Opera.
Created attachment 163354 [details] 2008-08-20-065931_907x630_scrot.png With added emphasis.
The steps at the URL explain the whole deal very nicely: 1. Go to the CAcert Root Certificate website: [1] 2. Click on 'Root Certificate (PEM Format)' 3. Choose 'View' 4. Check 'Allow connections to sites using this certificate' 5. If desired, uncheck 'Warn me before using this certificate' [1] http://www.cacert.org/index.php?id=3
Created attachment 163355 [details] Security protocols dialog The cipher isn't the problem. I would rather think it's simply displaying the wrong error/warning message.
jer: Per the original report, Hoffie had already imported the CACert root.
Hm... partly right. I got this as a report from a non-Gentoo user who complained about bugs.gentoo.org being not trusted by default (even with CAcert). I quickly tried to reproduce this by importing the CACert cert and checking. Apprently, while the CACert import seemed to be successful, it's not listed under Tools -> Preferences -> Advanced -> Security -> Manage Certificates -> Authorities. So I'm wondering whether this is * a Cipher problem related to bugs.g.o or * a root Cert import problem related to Opera in general + a wrong error message by Opera Really not sure, but the result is, that non-Gentoo users report bugs.g.o being insecure.
I filed upstream bug #357039 and left my e-mail address and the URL for _this_ bug report.
https://lists.cacert.org/wws/arc/cacert/2009-09/msg00063.html some weird TLS behavior as above. I'm not sure if they blacklisted CAcert signed sites because CAcert had a OCSP responder that didn't work with GET requests which Opera uses. This was incidentally fixed yesterday.
There seem to be similar issues still (though newer Operas just say "The server attempted to apply security measures, but failed"). And it's *NOT* just an issue with CAcert, as I run as website myself using a CAcert certificate and it's listed as fully secure, so clearly my attempt at importing the certificate did work properly. I did notice a couple of very, very interesting things: First, I wonder if bugs.gentoo.org's certificate chain is set up a little bit incorrectly. I tried running "openssl s_client -connect bugs.gentoo.org:https -CApath /etc/ssl/certs -showcerts", and looking at the certificate chain. OpenSSL s_client is able to verify the chain fine, but looking at the chain *as transmitted by the server*, the first cert in the chain is the server cert, the second is the CAcert main root cert, and the third is the CAcert class 3 root. But the CAcert main root signs the CAcert class 3 root, not the other way around, so the chain is a little screwy there! Summarized: the issuing relationship is "CAcert root ISSUES CAcert class 3 ISSUES bugs.gentoo.org", but the chain sent by the server is "bugs.gentoo.org, CAcert root, CAcert class 3", which is a strange permutation. For comparison, I tried using s_client to connect to twitter.com:https (which of course shows up as secure in Opera), and it has the chain in order, with twitter.com's site certificate first and then each certificate immediately followed by its direct issuer. So assuming Apache, maybe the certificates in the SSLCertificateChainFile are backwards for bugs.gentoo.org? A possible alternative theory to the above is based on the fact that Opera has all the intermediate certificates for twitter.com in its Intermediate Certificate store. However, I can discount this theory: https://forum.startcom.org/ *also* uses three certificates (server, intermediate, and root), and while the root is installed in Opera, the intermediate is not, and that site is shown as trusted. Thus one can conclude that Opera is happy to accept a chain whose intermediates are not installed. One final difference between bugs.gentoo.org and the other sites is that, as is more traditional, the other sites don't include the root CA certificate in their chains (they only include the intermediate certs, plus of course the server cert), whereas bugs.gentoo.org also sends the root cert in its chain. Maybe one of these will help lead to the solution. Maybe they're all completely unrelated. I've added myself to CC and will be happy to help test this out using Opera 11.
Version 11.51 no longer seems to make this claim.
So noted.
