Privacy Issue with riscosev.com when accessed via RISC OS
Doug Webb (190) 1181 posts |
Hi, Before I report an issue, is anyone else having issues with the riscosdev.com site? Using Netsurf I get a “privacy issue, unknown error occurred when processing the certificate”. When using IRIS I get “Signing certificate authority not known” I’ve tried it on 3 different RISC OS systems here with te same results and all have the latest CertData file. The strange thing is using Chrome on my phone and the site is OK. All RISC OS systems are 5.30 with the latest disc files. |
David J. Ruck (33) 1649 posts |
It’s using a valid LetsEncrypt cetificate, so you probably haven’t got the CA certificates installed on RISC OS. |
Doug Webb (190) 1181 posts |
I’ve got the standard certificates installed with RISC OS and no other site gives an issue! Just to be sure I have installed that file again from the RISC OS disc image,CertData, in Internet.files and it’s still the same. I’ve also used !UpDataCert and it downloads CA Root Certificates from Mozilla ,the one dated 24/09/2024. |
Chris Gransden (337) 1209 posts |
The intermediate certificate is missing on the server. |
Doug Webb (190) 1181 posts |
Thanks Chris, I’ll let them know. Funny thing is Windows/Android/Linux don’t report any issues, so one up for RISC OS :-) |
Rick Murray (539) 13907 posts |
Windows/Android/Linux didn’t report any warning because the browsers you were using are smart enough to go fetch the missing certificates themselves (if not already known to the browser). Try something simpler, like curl, and it may well throw an error. |
Doug Webb (190) 1181 posts |
Rick, Thanks for the explanation.
I’m always nervous when the word smart is used as what can be sensible and smart can also be open to exploitation without you realising it, as it is hidden behind the scenes. Still you have to have some trust and faith and thats why scammers find it so easy. Rock and hard place spring to mind |
Martin Avison (27) 1508 posts |
I met the same problem with my website, where the secure version is under the homepages.force9.net certificate (part of Plusnet). It does not work with any RISC OS browsers I have (ie Netsurf and Iris), but does work with Firefox on Windows and others. My understanding is that Webservers are supposed to serve clients the end-entity certificate for their website, along with all the Intermediate certificates needed to connect to the root – this is known as the certificate chain. This allows the client to easily trace the signature back to the root certificate in its root store and verify the certificate. Some clients detect the missing intermediates error, and take action to try and get the intermediate certificates themselves, but this should not be required. Rather ironic that riscosdev have met the same problem with Iris! It will be interesting to see if they fix the website or Iris. |
Jean-Michel BRUCK (3009) 369 posts |
Just tested, |
Andrew Rawnsley (492) 1445 posts |
Not sure if relevant, but AFAIK CertData file in !Internet is only used by programs using the AcornSSL module. Neither NetSurf nor Iris use AcornSSL as they contain their own SSL code. I believe the !CAcertificates folder is used by Iris (normally in !Boot.Resources) and Netsurf seems to have its own copy in !NetSurf.Resources (CA-bundle). I believe you can just copy the CertData file from !Internet (assuming it is more recent) with an appropriate filename to replace the versions in NetSurf and !CAcertificates. However, I strongly recommend taking a backup copy first. Sadly it doesn’t fix this problem, but I have just tried copying the latest nightly HardDisc4 CertData file into NetSurf, and it seemed to work fine. |
Steve Pampling (1551) 8198 posts |
I believe you can set NetSurf to use the system CertData and thus only have one copy of the data on your system |
Dave Higton (1515) 3559 posts |
My !Run file contains this line:
|
Cameron Cawley (3514) 159 posts |
It’s also worth mentioning that the GCCSDK version of curl (and applications that use it) have been using InetDBase:CertData for quite some time now. http://riscos.info/websvn/comp.php?repname=gccsdk&compare[]=%2Ftrunk%2Fautobuilder%2Flibraries%2Flibcurl3%2Fsetvars@7271&compare[]=%2Ftrunk%2Fautobuilder%2Flibraries%2Flibcurl3%2Fsetvars@7272 There are probably a couple of additional holdouts, but !CAcertificates seems to be largely obsolete these days. |