Hello,

I emailed VM tech support about a config error on their https://selfcare.virginmedia.com site. They told me to call them; I called them; they failed to acknowledge the problem, saying that the problem is not apparent with IE. I told them that IE caches intermediate certificates so it's not so obvious with that. They told me they only support IE, not Firefox or other browsers.

Anybody know how to get them to correct their mistake? A webmaster email address or some such thing perhaps?

Cheers,

===R

Attached, my orig email:

SSL certificate error on your selfcare site

Hi,

Your site: https://selfcare.virginmedia.com is protected with an ssl
certificate. Unfortunately, you do not publish the intermediate
certificate in the certificates you present to clients. Your site is
therefore flagged by browsers as being certified by an unknown
authority.

You need to append your certificate to the intermediate
certificate, and configure you ssl software to present BOTH certificates
to clients. I've attached, inline, the full certificate chain (with human
readable text) that should be sent to clients, for reference only.

Cheers, ....


Certificate:
Data:
Version: 3 (0x2)
Serial Number:
75:33:7d:9a:b0:e1:23:3b:ae:2d:7d:e4:46:91:62:d4
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
Validity
Not Before: Jan 19 00:00:00 2005 GMT
Not After : Jan 18 23:59:59 2015 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)05, CN=VeriSign Class 3 Secure Server CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:95:c3:21:12:8e:40:c5:0d:01:5f:76:5e:66:94:
d9:73:2c:58:19:22:b8:c9:fc:7a:39:90:2a:77:72:
7c:1d:3e:f7:d8:55:e3:af:42:cb:87:30:02:dc:5b:
ac:70:e6:b8:44:b4:2b:35:eb:93:d2:17:05:7e:cb:
46:d6:5c:53:a0:32:51:9d:74:64:58:f9:0c:9a:00:
ea:5e:44:49:64:72:f4:cd:10:e2:85:0a:f9:34:ee:
b3:88:66:a9:a5:a4:5a:d0:0e:98:7f:58:0d:2b:52:
bb:86:a9:7e:2e:fa:b2:48:7c:8d:db:2d:5f:01:75:
a2:8d:06:3b:8b:b4:61:07:c9:be:22:99:f8:1b:d1:
b5:57:66:04:4d:35:f4:91:71:96:b5:99:08:25:9b:
97:c8:3a:f3:20:b1:dd:9e:98:0c:4a:63:b7:a6:ce:
b0:01:ce:f8:93:6a:f3:0c:6e:9f:b1:e9:84:7b:81:
98:41:e6:81:dc:3d:2c:e7:b4:6b:e3:9e:fc:08:16:
d7:b3:d5:b9:66:12:99:7c:6d:71:c8:4d:be:c7:0f:
e3:fb:37:ad:d5:75:87:21:6b:86:d0:44:14:5a:54:
79:39:96:69:56:c9:b9:31:cd:89:61:58:e1:d9:76:
05:05:ad:f7:b9:02:af:a7:fd:47:91:a2:22:34:5a:
31:d1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.3
CPS: https://www.verisign.com/rpa

X509v3 CRL Distribution Points:
URI:http://crl.verisign.com/pca3.crl

X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA
X509v3 Subject Alternative Name:
DirName:/CN=Class3CA2048-1-45
X509v3 Subject Key Identifier:
6F:EC:AF:A0:DD:8A:A4:EF:F5:2A:10:67:2D:3F:55:82:BC :D7:EF:25
X509v3 Authority Key Identifier:
DirName:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
serial:70:BA:E4:1D:10:D9:29:34:B6:38:CA:7B:03:CC:B A:BF

Signature Algorithm: sha1WithRSAEncryption
c3:7e:08:46:5d:91:36:cf:67:dc:d7:a7:af:af:b8:22:c3 :8b:
04:74:d3:b1:60:bc:e6:fe:b7:44:12:81:5b:31:73:14:63 :56:
c6:72:2e:d1:1a:03:43:5c:38:0a:50:4a:4d:cd:da:b6:19 :a8:
f4:99:0d:af:e3:f7:d8:f1:75:28:65:f6:6a:fe:9b:f4:bd :52:
d9:3f:cb:da:16:cb:a5:9e:2e:8e:66:52:78:3d:26:fa:fe :94:
36:88:4a:95:5e:2a:4c:19:ef:6e:fa:82:3f:2d:03:ef:d6 :28:
b3:37:18:cf:42:b2:34:21:64:47:d3:20:6b:3a:4c:dc:e6 :03:
90:0c
-----BEGIN CERTIFICATE-----
MIIEnDCCBAWgAwIBAgIQdTN9mrDhIzuuLX3kRpFi1DANBgkqhk iG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy 4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbi BBdXRob3JpdHkw
HhcNMDUwMTE5MDAwMDAwWhcNMTUwMTE4MjM1OTU5WjCBsDELMA kGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZX JpU2lnbiBUcnVz
dCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaH R0cHM6Ly93d3cu
dmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMhVmVyaV NpZ24gQ2xhc3Mg
MyBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAA OCAQ8AMIIBCgKC
AQEAlcMhEo5AxQ0BX3ZeZpTZcyxYGSK4yfx6OZAqd3J8HT732F Xjr0LLhzAC3Fus
cOa4RLQrNeuT0hcFfstG1lxToDJRnXRkWPkMmgDqXkRJZHL0zR DihQr5NO6ziGap
paRa0A6Yf1gNK1K7hql+LvqySHyN2y1fAXWijQY7i7RhB8m+Ip n4G9G1V2YETTX0
kXGWtZkIJZuXyDrzILHdnpgMSmO3ps6wAc74k2rzDG6fsemEe4 GYQeaB3D0s57Rr
4578CBbXs9W5ZhKZfG1xyE2+xw/j+zet1XWHIWuG0EQUWlR5OZZpVsm5Mc2JYVjh
2XYFBa33uQKvp/1HkaIiNFox0QIDAQABo4IBgTCCAX0wEgYDVR0TAQH/BAgwBgEB
/wIBADBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwY BBQUHAgEWHGh0
dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwMQYDVR0fBCowKD AmoCSgIoYgaHR0
cDovL2NybC52ZXJpc2lnbi5jb20vcGNhMy5jcmwwDgYDVR0PAQ H/BAQDAgEGMBEG
CWCGSAGG+EIBAQQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1 UEAxMRQ2xhc3Mz
Q0EyMDQ4LTEtNDUwHQYDVR0OBBYEFG/sr6DdiqTv9SoQZy0/VYK81+8lMIGABgNV
HSMEeTB3oWOkYTBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVm VyaVNpZ24sIElu
Yy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2 VydGlmaWNhdGlv
biBBdXRob3JpdHmCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhv cNAQEFBQADgYEA
w34IRl2RNs9n3Nenr6+4IsOLBHTTsWC85v63RBKBWzFzFGNWxn Iu0RoDQ1w4ClBK
Tc3athmo9JkNr+P32PF1KGX2av6b9L1S2T/L2hbLpZ4ujmZSeD0m+v6UNohKlV4q
TBnvbvqCPy0D79YoszcYz0KyNCFkR9MgazpM3OYDkAw=
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2f:b9:6d:77:09:b1:48:12:86:63:11:24:4f:ff:f0:37
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)05, CN=VeriSign Class 3 Secure Server CA
Validity
Not Before: Oct 6 00:00:00 2008 GMT
Not After : Oct 6 23:59:59 2010 GMT
Subject: C=GB, ST=Merseyside, L=Knowsley, O=Virgin Media Ltd, OU=Internet Operations, CN=selfcare.virginmedia.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d1:a4:72:64:1b:ba:03:93:50:ec:0c:42:5f:a9:
49:c5:a9:48:67:7d:d8:52:19:b2:67:10:f1:e1:6e:
e8:e8:56:aa:3a:1a:4e:56:17:66:b6:8a:1d:58:c7:
8d:a7:6e:24:b1:8c:05:a8:fb:de:17:bf:90:73:73:
d4:54:8c:7a:e2:51:c4:2e:6d:2f:86:61:3d:f0:dc:
88:b3:fc:bc:19:d5:52:01:a9:95:e1:15:92:0c:e3:
5d:63:33:d1:ec:03:2b:08:9a:dc:18:67:07:25:68:
37:e4:cc:0f:a4:39:9d:a0:99:0b:d0:69:76:69:13:
95:f5:d5:d9:c5:c7:a8:4a:05
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
URI:http://SVRSecure-crl.verisign.com/SVRSecure2005.crl

X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.3
CPS: https://www.verisign.com/rpa

X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Authority Key Identifier:
keyid:6F:EC:AF:A0:DD:8A:A4:EF:F5:2A:10:67:2D:3F:55 :82:BC:D7:EF:25

Authority Information Access:
OCSP - URI:http://ocsp.verisign.com
CA Issuers - URI:http://SVRSecure-aia.verisign.com/SVRSecure2005-aia.cer

1.3.6.1.5.5.7.1.12:
0`.^.\0Z0X0V..image/gif0!0.0...+......Kk.(.....R8.).K..!..0&.$http://logo.verisign.com/vslogo1.gif
Signature Algorithm: sha1WithRSAEncryption
07:2f:8c:b8:b1:18:ff:eb:3f:c8:85:90:f4:0d:a1:67:44 :10:
a4:89:fd:61:a6:fe:75:c6:bb:44:59:ef:78:4f:c2:62:40 :c6:
e6:45:5e:f1:d4:b7:4d:d9:39:c8:18:ad:df:4f:13:f7:f9 :28:
e2:d5:b3:53:01:e9:0d:54:d8:6e:98:03:d1:ab:b7:bd:75 :51:
51:5b:37:08:1a:61:76:da:06:33:b5:e6:ef:0d:ff:95:ec :57:
b5:01:05:16:6e:be:a1:15:85:40:b5:32:cf:71:31:12:32 :d1:
00:3d:4c:a1:0e:ac:ab:5e:b4:e0:4b:25:ee:19:51:4a:46 :99:
da:be:ed:2b:3b:c1:71:31:f0:cf:f5:95:f2:e4:45:94:ce :47:
eb:22:06:54:4e:9f:2a:c5:16:cc:a8:22:e8:f9:18:b5:cb :9a:
5b:97:92:d3:3c:61:1c:40:a3:4e:90:ce:00:e2:b2:08:2a :51:
3b:2f:97:47:fb:07:6a:28:a9:60:cc:fa:0d:85:43:66:c3 :54:
a4:e3:a1:03:fa:6e:57:9a:08:3d:89:1a:f3:0d:86:f9:20 :46:
eb:b2:8b:9b:59:31:da:9a:62:7e:aa:2d:4e:55:e0:55:bd :6b:
3a:18:c1:98:36:b6:8f:1d:c1:6e:48:7e:7b:a0:23:03:65 :eb:
7a:5d:e3:7e
-----BEGIN CERTIFICATE-----
MIIFHjCCBAagAwIBAgIQL7ltdwmxSBKGYxEkT//wNzANBgkqhkiG9w0BAQUFADCB
sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbm MuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZX JtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNT EqMCgGA1UEAxMh
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDT A4MTAwNjAwMDAw
MFoXDTEwMTAwNjIzNTk1OVowgZExCzAJBgNVBAYTAkdCMRMwEQ YDVQQIEwpNZXJz
ZXlzaWRlMREwDwYDVQQHFAhLbm93c2xleTEZMBcGA1UEChQQVm lyZ2luIE1lZGlh
IEx0ZDEcMBoGA1UECxQTSW50ZXJuZXQgT3BlcmF0aW9uczEhMB 8GA1UEAxQYc2Vs
ZmNhcmUudmlyZ2lubWVkaWEuY29tMIGfMA0GCSqGSIb3DQEBAQ UAA4GNADCBiQKB
gQDRpHJkG7oDk1DsDEJfqUnFqUhnfdhSGbJnEPHhbujoVqo6Gk 5WF2a2ih1Yx42n
biSxjAWo+94Xv5Bzc9RUjHriUcQubS+GYT3w3Iiz/LwZ1VIBqZXhFZIM411jM9Hs
AysImtwYZwclaDfkzA+kOZ2gmQvQaXZpE5X11dnFx6hKBQIDAQ ABo4IB0zCCAc8w
CQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRAYDVR0fBD0wOzA5oD egNYYzaHR0cDov
L1NWUlNlY3VyZS1jcmwudmVyaXNpZ24uY29tL1NWUlNlY3VyZT IwMDUuY3JsMEQG
A1UdIAQ9MDswOQYLYIZIAYb4RQEHFwMwKjAoBggrBgEFBQcCAR YcaHR0cHM6Ly93
d3cudmVyaXNpZ24uY29tL3JwYTAdBgNVHSUEFjAUBggrBgEFBQ cDAQYIKwYBBQUH
AwIwHwYDVR0jBBgwFoAUb+yvoN2KpO/1KhBnLT9VgrzX7yUweQYIKwYBBQUHAQEE
bTBrMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi 5jb20wQwYIKwYB
BQUHMAKGN2h0dHA6Ly9TVlJTZWN1cmUtYWlhLnZlcmlzaWduLm NvbS9TVlJTZWN1
cmUyMDA1LWFpYS5jZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMF gwVhYJaW1hZ2Uv
Z2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBR gwJhYkaHR0cDov
L2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSI b3DQEBBQUAA4IB
AQAHL4y4sRj/6z/IhZD0DaFnRBCkif1hpv51xrtEWe94T8JiQMbmRV7x1LdN2TnI
GK3fTxP3+Sji1bNTAekNVNhumAPRq7e9dVFRWzcIGmF22gYzte bvDf+V7Fe1AQUW
br6hFYVAtTLPcTESMtEAPUyhDqyrXrTgSyXuGVFKRpnavu0rO8 FxMfDP9ZXy5EWU
zkfrIgZUTp8qxRbMqCLo+Ri1y5pbl5LTPGEcQKNOkM4A4rIIKl E7L5dH+wdqKKlg
zPoNhUNmw1Sk46ED+m5Xmgg9iRrzDYb5IEbrsoubWTHammJ+qi 1OVeBVvWs6GMGY
NraPHcFuSH57oCMDZet6XeN+
-----END CERTIFICATE-----

Hello,

I emailed VM tech support about a config error on their https://selfcare.virginmedia.com site. They told me to call them; I called them; they failed to acknowledge the problem, saying that the problem is not apparent with IE. I told them that IE caches intermediate certificates so it's not so obvious with that. They told me they only support IE, not Firefox or other browsers.

Anybody know how to get them to correct their mistake? A webmaster email address or some such thing perhaps?

Cheers,

===R

Attached, my orig email:

Can you list the browsers that flag this certificate as a problem please.

Hello Toto,

Errors with these:

Firefox 2.0.0.x Linux Windows
Firefox 3.0.x Linux Windows
Konqueror 3.5.x Linux

If you don't get an error, then you've accepted the cert before.

You can also use openssl s_client, but you'd have to configure
some root certs and be able to correctly interpret the results,
so this would only prove to point to somebody who doesn't need
convincing.

openssl s_client -connect selfcare.virginmedia.com:443 -showcerts

No Errors with:

Opera 9.5.0 and greater
IE 6 (and greater) not tested by me.

Opera 9.5.x downloads intermediate certificates on the fly, using
the AIA (Authority Information Access) mechanism, and so does IE,
but this is just a convenience for misconfigured servers. I
believe RFC 2246 states that all intermediate certificates should
be included with the host certificate.

You'll find more about this here:

http://my.opera.com/yngve/blog/2007/12/21/new-w-not-in-kestrel4
http://blogs.msdn.com/larryosterman/archive/2004/06/04/148612.aspx

The Opera doc (above) states:


SSL/TLS servers that do not send intermediate certificates are
actually not operating in compliance with the SSL/TLS standard.
The standard requires the server to send any CA certificates it
cannot reasonably expect the client to have already, and the only
thing it can expect the client to have is the root certificate,
and not any intermediates.

It must be possible to get somebody on their web team to configure
their server correctly. Or perhaps not.

===R

Opera 9.62 doesn't give an error, but it does bring up a question mark in the address bar that brings up a warning about an invalid certificate when you double click it.

---------- Post added at 11:38 ---------- Previous post was at 11:37 ----------

Have you tried webmaster@virginmedia.com? I don't know if that is the right address, but a lot of companies do use that address.

I've just tried loading it in Opera and I don't get the question mark. It says the site is secure

---------- Post added at 11:50 ---------- Previous post was at 11:45 ----------

I'll mention it tomorrow

Opera 9.62 doesn't give an error, but it does bring up a question mark in the address bar that brings up a warning about an invalid certificate when you double click it.


I'm surprised by that result. Perhaps the verisign site was down for a jiffy when you tried. It works fine for me. If you go to:

Tools|Preferences|Advanced|Security|Manage Certificates|Intermediate

before your got to the selfcare site, you'll see just one cert in there (Starfield issuing CA). If you then go the the selfcare site, you'll see that "VeriSign Class 3 Secure Server" has been added. All this, of course, on a clean install of Opera. Dunno where Opera keeps it's cache under Windows. I just unpack the tar ball under Linux and run it in situ. The file the intermediate certs seem to be kept in under Linux is profile/opicacrt6.dat so I guess it wouldn't be too hard to find under Windows.

Have you tried webmaster@virginmedia.com? I don't know if that is the right address, but a lot of companies do use that address.

No response as yet. I tried postmaster, too, on the off chance that somebody who cared might read it.

It's interesting to see how difficult it is to get them to do something about it. If somebody hacked their site and put up false certs, porn, whatever, I wonder by what means they would find out about it.

===R

This is a known issue as far as I know though if I remember correctly it says it is only an issue with Firefox (meaning they haven't tested anything else).

You can Add Konqueror 4.1.2 to the list, just tested it.