[tor-talk] "Invalid Server Certificate" accessing torproject.org on Chrome/Windows

Ondrej Mikle ondrej.mikle at gmail.com
Wed Jan 4 20:10:18 UTC 2012 

On 01/04/12 07:40, Greg wrote:
> Hi,
> I searched google for people having problems accessing torproject.org
> from Chrome on Windows, but I didn't see much besides a discussion on
> December 21 about an outage
> (http://comments.gmane.org/gmane.network.tor.general/2514).
>
> I can access torproject.org from Firefox on my windows (server 2003)
> machine, but not from Chrome. I get an "Invalid Server Certificate"
> error and it doesn't let me continue.  Any ideas what might be wrong
> with my Chrome/Windows setup?

I can reproduce it on WinXP/Chrome. This seems to be a bug in Microsoft 
CryptoAPI (unless I am missing something).

So what's going on here (amazing case of "cooperation paradox"):

1. Firefox and Chrome on Windows see different chains. Specifically Chrome sees 
different intermediate certificate for "DigiCert High Assurance CA-3" than the 
certificate sent by www.torproject.org server.

2. Since www.torproject.org does not send DigiCert root CA cert in handshake, 
each browser builds yet another chain to root.

3. I've verified the chain seen by Chrome with gnutls, then looked at the 
certificate differences by hand (checks out fine in both cases). I can't see why 
MS CryptoAPI thinks the signature is invalid: it's not revoked and validity 
period, extensions, etc. seem fine as well.

Though it might be helpful if www.torproject.org sent whole chain (up to 
Digicert root).

If anyone wants to dig into it, three different chains are attached (one from 
Chrome 16.0.912.63 m/Win, two from Firefox 9.0.1/Linux - yes, it's possible to 
get two chains on different profiles).

Ondrej

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: torproject.org_chrome_chain
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20120104/570a5549/attachment-0003.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: torproject.org_firefox_chain
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20120104/570a5549/attachment-0004.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: torproject.org_firefox_chain_no_cross
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20120104/570a5549/attachment-0005.ksh>

More information about the tor-talk mailing list