4 comments

[ 81.1 ms ] story [ 180 ms ] thread
Can you share the certificate you were served?
Not sure the best way to share it, so I'll paste it here...

-----BEGIN CERTIFICATE----- MIIEgDCCA2igAwIBAgIILLVnxACV9P8wDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYxMTAzMDEzMzM1WhcNMTcwMTI2MDExMzAw WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3 Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHzMz8 G+xLkFuyF2yBjvm1uwY3LewkD/U5oBRrJAzZ8nVAGc5hwOHLAg2kDe2nW2AYpdpC FtgRTi4M+vNHlrJcPfbT0j+IpS0FSeqBlbi28LUQuv+S8MuaoGHsZQ+oHUIMm5/+ fXWfqpnJSCaFBBTg4ywHeO1qcj9865b1efD8E2Nhjmm58Z9EyNqJ3SpeWagAhk7k j66vV+63MILYMfMWNQUPEM9qytPkYuVxE2SCDAPAIl1rN7put8BO2gUAhRDUh7JP CzVH8k6WQp55f0VUuxlbpH0tjPHZS/vDDPb0nggDyqdqzIUQRCeS19m8q/mFh7Rq 0znNnlRktE4UD7OpAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0 MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G A1UdDgQWBBTOIMTSAYg4AHgT3U/MUkCw2dAjtzAMBgNVHRMBAf8EAjAAMB8GA1Ud IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEASTQEiHIasdUPoCQx y+6LUjW1uW5tXFO3T5wtMYcECARrjo7jxQlfZ4pID3s1b+iNc+cL6OgTzPxfcC1r 450qeRwGW3gLtX5Hxi/bFvz/iIS+0EKAWy7cYLI+XIg9fBWNW3Q7I0xH4h3yRiFm yICwiJJULfAFXO6ySJX9Y64WvWWF6hTx2hB+oqu3UbZy2uKKhA4P0xjoK/xZCcGH BrlY0qXGWexiI0PGYhvcaQMLDLHvhmpk8tFDgjGUnrW8GrhR97oPaigA4LbdwY2O oysN7cwTsSvZP6Sfia2jqOeYn7d6q8PI1/KL9MIriwUNBANGyyWbUR7dQbeaQCTN qUJdPg== -----END CERTIFICATE-----

It's a SHA-256 certificate which expires in January, and it was signed by a SHA-1 intermediate that expires 12/31/16.

So, the way X.509 works, certificates aren't signed by a particular other certificate, but by a named Issuer and private key. This particular Issuer, "Google Internet Authority G2" has both an older SHA-1 certificate (which expires when you said) and a newer SHA-256 certificate, with the same key that expires a year later. So, there are two things that might happen here, one is their fault, one is (maybe) yours

1. They could be sending the SHA-1 intermediate instead of the correct SHA-256 intermediate. This would affect everyone connecting to that particular server. Google has to fix this by correcting the intermediate certificate delivered during TLS handshake.

2. Your client (browser) could have cached the SHA-1 certificate from somewhere and be relying on it (because the name and key match) even though Google provided a SHA-256 certificate that's better.

If you can still reproduce the error, tools like openssl's s_client mode can dump all the certificates sent over, and don't have a cache of their own, so that's useful for diagnosis.

Same (for multiple subdomains too).

  This certificate has been verified for the following usages:
  
  SSL Server Certificate

  Issued To
  
  Common Name (CN)	www.google.com
  Organization (O)	Google Inc
  Organizational Unit (OU)	<Not Part Of Certificate>
  Serial Number	2C:B5:67:C4:00:95:F4:FF
  Issued By
  
  Common Name (CN)	Google Internet Authority G2
  Organization (O)	Google Inc
  Organizational Unit (OU)	<Not Part Of Certificate>
  Validity Period
  
  Issued On	11/2/16
  Expires On	1/25/17
  Fingerprints
  
  SHA-256 Fingerprint	DB 4F 9A C6 02 74 B6 91 73 B9 BF 67 B3 64 37 20
  3A 11 6A 4B 87 C2 7A A5 18 D6 71 A5 39 37 54 82
  SHA-1 Fingerprint	DD 3B 8A D7 5A DA C1 7A F7 DC 6C A4 40 08 C3 E0
  14 2A 3E B3
Also:

  psypete@zippy:~$ ncat --ssl -v -4 www.google.com 443
  Ncat: SSL connection to 172.217.4.36:443. Google Inc
  Ncat: SHA-1 fingerprint: DD3B 8AD7 5ADA C17A F7DC 6CA4 4008 C3E0 142A 3EB3
  ^C
  psypete@zippy:~$ ncat --ssl -v -4 www.google.com 443
  Ncat: SSL connection to 172.217.3.4:443. Google Inc
  Ncat: SHA-1 fingerprint: DD3B 8AD7 5ADA C17A F7DC 6CA4 4008 C3E0 142A 3EB3
  ^C
  psypete@zippy:~$ ncat --ssl -v -4 google.com 443
  Ncat: SSL connection to 172.217.1.206:443. Google Inc
  Ncat: SHA-1 fingerprint: 5E7B 8140 CF98 AFE9 2BBA BA06 0D83 1277 1702 DD49
  ^C
  psypete@zippy:~$ ncat --ssl -v -4 google.com 443
  Ncat: SSL connection to 216.58.217.174:443. Google Inc
  Ncat: SHA-1 fingerprint: 5E7B 8140 CF98 AFE9 2BBA BA06 0D83 1277 1702 DD49