Privacy Issue with riscosev.com when accessed via RISC OS

Hi,

Before I report an issue, is anyone else having issues with the riscosdev.com site?

Using Netsurf I get a “privacy issue, unknown error occurred when processing the certificate”.

When using IRIS I get “Signing certificate authority not known”

I’ve tried it on 3 different RISC OS systems here with te same results and all have the latest CertData file.

The strange thing is using Chrome on my phone and the site is OK.

All RISC OS systems are 5.30 with the latest disc files.

It’s using a valid LetsEncrypt cetificate, so you probably haven’t got the CA certificates installed on RISC OS.

I’ve got the standard certificates installed with RISC OS and no other site gives an issue!

Just to be sure I have installed that file again from the RISC OS disc image,CertData, in Internet.files and it’s still the same.

I’ve also used !UpDataCert and it downloads CA Root Certificates from Mozilla ,the one dated 24/09/2024.

The intermediate certificate is missing on the server.

https://decoder.link/sslchecker/www.riscosdev.com/443?

Thanks Chris, I’ll let them know.

Funny thing is Windows/Android/Linux don’t report any issues, so one up for RISC OS :-)

Windows/Android/Linux didn’t report any warning because the browsers you were using are smart enough to go fetch the missing certificates themselves (if not already known to the browser).
The certificate itself isn’t invalid, the trust chain is broken. But those (trust) certificates are from elsewhere and can be fetched independently to complete the chain.

Try something simpler, like curl, and it may well throw an error.

Rick,

Thanks for the explanation.

smart enough to go fetch the missing certificates themselves

I’m always nervous when the word smart is used as what can be sensible and smart can also be open to exploitation without you realising it, as it is hidden behind the scenes.

Still you have to have some trust and faith and thats why scammers find it so easy.

Rock and hard place spring to mind

I met the same problem with my website, where the secure version is under the homepages.force9.net certificate (part of Plusnet). It does not work with any RISC OS browsers I have (ie Netsurf and Iris), but does work with Firefox on Windows and others.

My understanding is that Webservers are supposed to serve clients the end-entity certificate for their website, along with all the Intermediate certificates needed to connect to the root – this is known as the certificate chain. This allows the client to easily trace the signature back to the root certificate in its root store and verify the certificate.

Some clients detect the missing intermediates error, and take action to try and get the intermediate certificates themselves, but this should not be required.

Rather ironic that riscosdev have met the same problem with Iris! It will be interesting to see if they fix the website or Iris.

Just tested,
with !Netsurf I get a privacy error and by clicking on Proceed I have access to the page.
This is a window that appears more and more often, but !Netsurf is doing well!

Not sure if relevant, but AFAIK CertData file in !Internet is only used by programs using the AcornSSL module. Neither NetSurf nor Iris use AcornSSL as they contain their own SSL code. I believe the !CAcertificates folder is used by Iris (normally in !Boot.Resources) and Netsurf seems to have its own copy in !NetSurf.Resources (CA-bundle).

I believe you can just copy the CertData file from !Internet (assuming it is more recent) with an appropriate filename to replace the versions in NetSurf and !CAcertificates. However, I strongly recommend taking a backup copy first.

Sadly it doesn’t fix this problem, but I have just tried copying the latest nightly HardDisc4 CertData file into NetSurf, and it seemed to work fine.

I believe you can just copy the CertData file from !Internet (assuming it is more recent) with an appropriate filename to replace the versions in NetSurf and !CAcertificates.

I believe you can set NetSurf to use the system CertData and thus only have one copy of the data on your system

I believe you can set NetSurf to use the system CertData and thus only have one copy of the data on your system

My !Run file contains this line:

IfThere InetDBase:CertData Then Set NetSurf$CABundle InetDBase:CertData Else Set NetSurf$CABundle Netsurf:Resources.ca-bundle

It’s also worth mentioning that the GCCSDK version of curl (and applications that use it) have been using InetDBase:CertData for quite some time now.

http://riscos.info/websvn/comp.php?repname=gccsdk&compare[]=%2Ftrunk%2Fautobuilder%2Flibraries%2Flibcurl3%2Fsetvars@7271&compare[]=%2Ftrunk%2Fautobuilder%2Flibraries%2Flibcurl3%2Fsetvars@7272

There are probably a couple of additional holdouts, but !CAcertificates seems to be largely obsolete these days.