Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SSL problem in 9.64

13 views
Skip to first unread message

Jens Schuessler

unread,
Mar 4, 2009, 2:05:20 PM3/4/09
to
I have a problem with the new 9.64

When I want to go to https://www.mymarket.ch/ Opera hangs infinitely.
I guess this hast something to do with this point in the changelog

· Added version conditional fetching of certificate dependencies from an
online repository

netstat says
,----
| tcp 0 0 xx:48009 212.23.245.178:443 ESTABLISHED 1000 2327033 26474/opera
| tcp 0 1 xx:51724 213.236.208.94:443 SYN_SENT 1000 2326033 26474/opera
|
`----
where 212.23.245.178 ist www.mymarket.ch and 213.236.208.94 is
certs.opera.com and this connection stays at SYN_SENT all the time. The
host is up and answers to a ping.

This problem doesn't occur in 9.63 and 10beta.
market.ch uses a normal cert from Verisign:

,----
| www.mymarket.ch
| VISECA Card Services SA
| Web, Terms of use at www.verisign.com/rpa (c)05
| Glattbrugg
| ZH
| CH
| Unknown fieldname1.3.6.1.4.1.311.60.2.1.3: CH
| Unknown fieldname2.5.4.15: V1.0, Clause 5.(b)
| serialNumber: CH-170.3.030.323-4
| Issuer
| VeriSign Class 3 Extended Validation SSL SGC CA
| VeriSign, Inc.
| VeriSign Trust Network, Terms of use at https://www.verisign.com/rpa
| (c)06
| US
|
`----

Other https-addresses work fine.

Any suggestions? What does this "fetching of certificate dependencies"
mean in this case?


Version 9.64 Build 2480
Plattform
Linux Betriebssystem i686, 2.6.26+2008-12-12 Qt-Bibliothek 3.3.8b Java
Java Runtime-Environment installiert

Debian lenny

Regards
Jens

Jens Schuessler

unread,
Mar 4, 2009, 2:29:28 PM3/4/09
to
Addendum:

After closing the tab with the hanging market.ch site, Opera keeps using
cpu like hell and trys to connect with certs.opera.com in a infinetily loop
conversation, which I can see in wireshark.

Yngve Nysaeter Pettersen (Developer, Opera Software A/S)

unread,
Mar 4, 2009, 3:14:34 PM3/4/09
to
On Wed, 4 Mar 2009 20:05:20 +0100, Jens Schuessler <j...@trash.net> wrote:

>I have a problem with the new 9.64
>
>When I want to go to https://www.mymarket.ch/ Opera hangs infinitely.
>I guess this hast something to do with this point in the changelog

The site's certificate is not correctly ordered, the certificates are sent as
#1, #3, #2, and that runs afoul a bug that had been missed, causing repeated
downloading of the root from our repository.

We are investigating (but the bug is fixed). The site can alleviate the problem
by fixing the certificate chain so that the intermediate CA certificate is sent
as #2.

Jens Schuessler

unread,
Mar 4, 2009, 4:16:07 PM3/4/09
to
* Yngve Nysaeter Pettersen (Developer, Opera Software A/S) <yn...@opera.com> [04-03-09 20:14]:

> On Wed, 4 Mar 2009 20:05:20 +0100, Jens Schuessler <j...@trash.net> wrote:
>
>>I have a problem with the new 9.64
>>
>>When I want to go to https://www.mymarket.ch/ Opera hangs infinitely.
>>I guess this hast something to do with this point in the changelog
>
> The site's certificate is not correctly ordered, the certificates are sent as
> #1, #3, #2, and that runs afoul a bug that had been missed, causing repeated
> downloading of the root from our repository.

Ok. Did you mention my second post, that this repeated downloading is
going on and on though i closed the connection to the site? I had to
close the browser to stop this.

> We are investigating (but the bug is fixed). The site can alleviate the problem
> by fixing the certificate chain so that the intermediate CA certificate is sent
> as #2.

So why doesn't that happen in .63? I thought Opera would use the certs
stored in /etc/ssl/certs rather than lookin in an online repository.
9.63 shows the chain as okay and doesn't make a connection to your repository.
Is there no way for me as a user to avoid this than connect the site
owner?

Yngve Nysaeter Pettersen (Developer, Opera Software A/S)

unread,
Mar 4, 2009, 4:35:18 PM3/4/09
to
On Wed, 4 Mar 2009 22:16:07 +0100, Jens Schuessler <j...@trash.net> wrote:

>* Yngve Nysaeter Pettersen (Developer, Opera Software A/S) <yn...@opera.com> [04-03-09 20:14]:
>> On Wed, 4 Mar 2009 20:05:20 +0100, Jens Schuessler <j...@trash.net> wrote:
>>
>>>I have a problem with the new 9.64
>>>
>>>When I want to go to https://www.mymarket.ch/ Opera hangs infinitely.
>>>I guess this hast something to do with this point in the changelog
>>
>> The site's certificate is not correctly ordered, the certificates are sent as
>> #1, #3, #2, and that runs afoul a bug that had been missed, causing repeated
>> downloading of the root from our repository.
>
>Ok. Did you mention my second post, that this repeated downloading is
>going on and on though i closed the connection to the site? I had to
>close the browser to stop this.

That is caused by the bug.

>> We are investigating (but the bug is fixed). The site can alleviate the problem
>> by fixing the certificate chain so that the intermediate CA certificate is sent
>> as #2.
>
>So why doesn't that happen in .63? I thought Opera would use the certs

Because modifications needed for some types of Extended Validation chains
triggered the bug.

>stored in /etc/ssl/certs rather than lookin in an online repository.
>9.63 shows the chain as okay and doesn't make a connection to your repository.

9.50+ is using an online repository for Root certificates

>Is there no way for me as a user to avoid this than connect the site
>owner?

We are considering a couple of options.

0 new messages