Page 1 of 1

website ssl certificate issue

PostPosted: Wed Jan 06, 2016 4:20 pm
by josh
I received a bunch of reports that people were getting error messages saying that the SSL certificate on our website has been revoked.

I could not reproduce the issue, and I spent some time researching it, but finally gave up and simply installed a new certificate on the server. I hate to say it, but I am not sure whether this will resolve the issue. If you are still having trouble after reading this, please let me know.

Re: website ssl certificate issue

PostPosted: Tue Mar 29, 2016 8:04 pm
by End User
Hi Josh

How about making this entire forum to use a secure login and HTTPS? At least the login page should be HTTPS since that would hide our passwords which at this time are being sent in the clear with no security that anyone can intercept.

Also to whatever extent you are using either SSL v3.0 or TLS v1.0 anywhere please change it so that only TLS 1.1 and TLS 1.2 are only able to be used.

More information is available here for securing anyone's browsers on how to: Turn Off SSL 3.0 and TLS 1.0 in Your Browser.

Of course servers need different fixes.

Josh, hopefully you have a Risk Assessment and Risk Mitigation Plan already in place and are working to implement it. After June 30, 2016 it will be a whole different story, right?

Further reading from SecurityMetrics (these issues are not only for credit card transactions.): http://blog.securitymetrics.com/2015/04/pci-3-1-ssl-and-tls.html

Best Regards

Re: website ssl certificate issue

PostPosted: Wed Mar 30, 2016 8:16 pm
by josh
There is nothing about the service that is PCI compliant :)

The main website has been using TLS 1.2 for quite a while now.

I have never thought about securing the bbs, which is totally separate from the main service.

Re: website ssl certificate issue

PostPosted: Sun Nov 27, 2016 11:58 am
by Clewby
josh wrote:I received a bunch of reports that people were getting error messages saying that the SSL certificate on our website has been revoked.

I could not reproduce the issue, and I spent some time researching it, but finally gave up and simply installed a new certificate on the server. I hate to say it, but I am not sure whether this will resolve the issue. If you are still having trouble after reading this, please let me know.


It resolved the issue for me, or rather, for the user I was supporting who had the issue - which is to say, the user was able to use the website after you changed the certificate when it was not possible beforehand. Since I couldn't work out the technical issue either, I can only assume the strong correlation is because what you did fixed (or by-passed) the actual problem.

I hate problems where you can't find the root cause, but you can, apparently, fix them by a 'simple' change.