Site Certificate Problem

[David E. Ross]

Using SeaMonkey 2.6.1, I went to <http://www.fafsa.ed.gov/> and selected
the link to "School Code Search", which is
<http://www.fafsa.ed.gov/FAFSA/app/schoolSearch?locale=en_EN>. I
got an error message that stated:
www.fafsa.ed.gov uses an invalid security certificate.
The certificate is only valid for the following names:
a248.e.akamai.net, *.akamaihd.net, *.akamaihd-staging.net

Using IE 7, I did not get this error. Instead
<http://www.fafsa.ed.gov/FAFSA/app/schoolSearch?locale=en_EN> redirected
to <https://fafsa.ed.gov/FAFSA/app/schoolSearch?locale=en_EN>, which
successfully displayed.

--

David E. Ross
<http://www.rossde.com/>.

Anyone who thinks government owns a monopoly on inefficient, obstructive
bureaucracy has obviously never worked for a large corporation.
© 1997 by David E. Ross

[Eddy Nigg]

On 12/23/2011 09:34 PM, From David E. Ross:

> Using IE 7, I did not get this error. Instead
> <http://www.fafsa.ed.gov/FAFSA/app/schoolSearch?locale=en_EN> redirected
> to<https://fafsa.ed.gov/FAFSA/app/schoolSearch?locale=en_EN>, which
> successfully displayed.

Missing intermediate CA certificate in chain is not sent by the server.

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

[David E. Ross]

On 12/23/11 12:02 PM, Eddy Nigg wrote:
> On 12/23/2011 09:34 PM, From David E. Ross:
>> Using IE 7, I did not get this error. Instead
>> <http://www.fafsa.ed.gov/FAFSA/app/schoolSearch?locale=en_EN> redirected
>> to<https://fafsa.ed.gov/FAFSA/app/schoolSearch?locale=en_EN>, which
>> successfully displayed.
>
> Missing intermediate CA certificate in chain is not sent by the server.
>

Mozilla treats a missing intermediate certificate as if the site
certificate is for the wrong domain?

[Ondrej Mikle]

On 12/23/11 23:17, David E. Ross wrote:
> On 12/23/11 12:02 PM, Eddy Nigg wrote:

>> On 12/23/2011 09:34 PM, From David E. Ross:
>>> Using IE 7, I did not get this error. Instead
>>> <http://www.fafsa.ed.gov/FAFSA/app/schoolSearch?locale=en_EN> redirected
>>> to<https://fafsa.ed.gov/FAFSA/app/schoolSearch?locale=en_EN>, which
>>> successfully displayed.
>>
>> Missing intermediate CA certificate in chain is not sent by the server.
>>
>

> Mozilla treats a missing intermediate certificate as if the site
> certificate is for the wrong domain?

(missing intermediate certs: can happen, but does seem to be the case here.)

I've checked out this specific case, the original URL redirects to
https://fafsa.ed.gov/FAFSA/app/schoolSearch?locale=en_EN (in Seamonkey 2.6 and
Firefox 9.0.1).

SAN extension matches favsa.ed.gov, thus the trust-chain check succeeds.

(Only when I explicitly tried "openssl s_client www.fafsa.ed.gov:443" I got
Akamai's generic cert.)

Ondrej

[David E. Ross]

On 12/23/11 11:34 AM, David E. Ross wrote:
> Using SeaMonkey 2.6.1, I went to <http://www.fafsa.ed.gov/> and selected
> the link to "School Code Search", which is
> <http://www.fafsa.ed.gov/FAFSA/app/schoolSearch?locale=en_EN>. I
> got an error message that stated:
> www.fafsa.ed.gov uses an invalid security certificate.
> The certificate is only valid for the following names:
> a248.e.akamai.net, *.akamaihd.net, *.akamaihd-staging.net
>
> Using IE 7, I did not get this error. Instead
> <http://www.fafsa.ed.gov/FAFSA/app/schoolSearch?locale=en_EN> redirected
> to <https://fafsa.ed.gov/FAFSA/app/schoolSearch?locale=en_EN>, which
> successfully displayed.
>

The problem is apparently caused by UA sniffing. If I use SeaMonkey
2.6.1 but spoof IE 7 or Firefox 8.0.1, the page at
<http://www.fafsa.ed.gov/FAFSA/app/schoolSearch?locale=en_EN> is
displayed without any error. The site certificate then chains to
USERTrust Legacy Secure Server CA.

If I do not spoof a UA, I get the error. The Akamai site certificate
chains to GTE CyberTrust Global Root. This is another case of a Web
site not recognizing "Gecko is Gecko". An old Tech Evangelism bug
report already exists for this site.