'no certificate transparency information was supplied by the server'
209 views
Skip to first unread message
Cenk K
Mar 9, 2016, 9:48:37 AM3/9/16
to certificate-transparency
Hey guys,
Google Chrome says for a website I maintain that there was no certificate transparency information supplied by the server.
But when I search for the certificate on https://crt.sh/ the EV certificate can be found on Log Servers which are operated by Google.
Any idea why this is happening?
Thanks in advance!
Eran Messeri
Mar 9, 2016, 9:51:50 AM3/9/16
to certificate-...@googlegroups.com
Hi,
Is the final EV certificate on crt.sh or a precertificate for that EV certificate?
Existing EV certificates, issued prior to 31st of December 2014, were 'grandfathered-in' and are whitelisted in Chrome, so they will get the EV treatment even if they do not include SCTs or have SCTs served with them.
Note that if SCTs are not served alongside an EV certificate, Chrome will not block the connection but downgrade it to a DV connection (i.e. the green bar with the organization's name will not appear).
You can use Chrome's NetLog to find out exactly what's going on (https://www.certificate-transparency.org/certificate-transparency-in-chrome).
Hope this helps,
Eran
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Cenk
Mar 9, 2016, 10:25:53 AM3/9/16
to certificate-transparency
Hi,
thanks for your answer. The EV certificate was issued prior to 31st December 2014 and it is the final EV certificate.
I used NetLog and tried to find out what is happening. That is the result for the for the SCT:
Any ideas?
Regards,
t=529019 [st=141] SIGNED_CERTIFICATE_TIMESTAMPS_RECEIVED
--> embedded_scts = ""
--> scts_from_ocsp_response = ""
--> scts_from_tls_extension = ""
t=529019 [st=141] SIGNED_CERTIFICATE_TIMESTAMPS_CHECKED
--> invalid_scts = []
--> unknown_logs_scts = []
--> verified_scts = []
Any ideas?
Regards,
Cenk
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
Eran Messeri
Mar 9, 2016, 10:28:23 AM3/9/16
to certificate-...@googlegroups.com
So it's probably in the whitelist - there's code in https://github.com/google/certificate-transparency/tree/master/python/utilities/ev_whitelist to generate your own copy of the same whitelist (should produce the exact same whitelist used in Chrome) and check if it's there.
What are you trying to achieve? Are you trying to determine what's the reason the EV status is granted for this website?
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
Cenk
Mar 9, 2016, 10:38:33 AM3/9/16
to certificate-transparency
Not really. I am just confused why it says "The server did not supply any Certificate Transparency information" while the certificate can be found in the CT Logs.
Or is there no direct link between the message in Chrome I mentioned and the CT Logs. Did I just misunderstand the whole thing?
Or is there no direct link between the message in Chrome I mentioned and the CT Logs. Did I just misunderstand the whole thing?
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
Pierre Phaneuf
Mar 9, 2016, 10:54:02 AM3/9/16
to certificate-transparency
On Wed, Mar 9, 2016 at 3:38 PM, Cenk <cenk...@gmail.com> wrote:
> Not really. I am just confused why it says "The server did not supply any
> Certificate Transparency information" while the certificate can be found in
> the CT Logs.
What is meant by "the server" here isn't "the CT log servers", but
> Not really. I am just confused why it says "The server did not supply any
> Certificate Transparency information" while the certificate can be found in
> the CT Logs.
*your* server. If you didn't do anything to serve SCTs, and your
certificate does not have SCTs embedded in it, then you are "not
supplying any Certificate Transparency information".
Since your certificate does not appear to have embedded SCTs, you
would need to provide SCTs in the TLS handshake, say (usually done
with an extension to your web server, such as mod_ssl_ct, for Apache).
See this for more information:
https://www.certificate-transparency.org/resources-for-site-owners
Eran Messeri
Mar 9, 2016, 12:56:16 PM3/9/16
to certificate-...@googlegroups.com
This bit of confusing UI is moving away from the page info pop-up and into DevTools, together with other detailed security information, by the way.
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages