SSL Certificate information incorrect
-
A site which I regularly visit is showing that the SSL certificate expired yesterday. I am not receiving any errors as a browse; it is just the info box which is wrong. Which makes me wonder if the dialog box is showing a cached date/time of expiry.
If I use a Vivaldi Private Window the expiry date correctly shows February next year. Using FF also shows the correct expiry date.
I've tested this in Vivalid Desktop for Linux, Windows, and also Android. All do the same.
Should I report this as a bug?
Desktop: 6.4.3160.44 (Stable channel) stable (64-bit)
Android: 6.4.3171.103Example screenshot is for the Linux Desktop.
Today's date/time at top of the screen. SSL Info box expiry date is wrong and should e Feb next year
-
@justdaj said in SSL Certificate information incorrect:
Should I report this as a bug?
If you give a domain in the report, so internal tester can check.
Please report issue to Vivaldi bug tracker. Once that is done, share the bug number (beginning with VB-) you got by bug report mail. Thanks for helping us making Vivaldi better.
-
@justdaj The shown "Expires On" is time and date in your timezone.
How do you know cert of domain was expired? -
Both times zones are UTC. However, I waited until today just in case there was a time zone issue. I'm in the UK.
I own and run the domain/website so knew it was due to expire. It auto renewed (7 days ago) and I always check in a browser, but it never seemed to update in Vivaldi
I will do a bug report now
-
@justdaj said in SSL Certificate information incorrect:
I will do a bug report now
Good, i will check it.
-
@DoctorG VB-101936
-
Can not reproduce this.
I see on my Vivaldi 6.4 on Windows 11 (german):
Ausgestellt am Sonntag, 19. November 2023 um 15:22:10
Gültig bis Samstag, 17. Februar 2024 um 15:22:09
Same On my Debian 12 KDE.I do not know if Vivaldi caches the certificate information of address lock for display.
Had you restartet Vivaldi after display of cert? -
I think it is a cache issue. I visit the site every day (multiple times). If I do a Private Window the correct info is shown, suggesting caching problem.
I reboot my PC, and therefore Vivaldi is shutdown, most days. I also restarted the server hosting the domain yesterday.
I suspect you can not replicate the issue as you have never visited the site before.
Very odd.
-
@justdaj I never saw such display issue with my expired R3 signed domains.
What happens if you clear HSTS status at internal page
vivaldi://net-internals/#hstssection "Delete domain security policies" for the domain ? -
No difference. I closed down Vivaldi. Restarted. Went to vivaldi://net-internals/#hsts. Entered the domain and clicked delete. Closed and Reopened Vivaldi
-
@justdaj Ctrl+Shift+Del and cleared cache for time "All"? Same?
And with a test profile? -
Ah, the nuclear option. Was hoping to avoid that.
Deleting "Storage (Including Extension Storage)" for All Time solves the problem
-
@justdaj said in SSL Certificate information incorrect:
Deleting "Storage (Including Extension Storage)" for All Time solves the problem
Did not know why Storage had to be deleted, less internal knowledge about the data there.
Nice to hear that it is solved now.
-
'Solved' is maybe a bit of a stretch! It strongly suggests there's an issue with how it reads/stores/displays the expiry date in certain circumstances. Me clearing data is no really the solution.
Thanks for all your suggestions.
I will be keeping an eye on various other sites to see how that goes
-
@justdaj If you see that again, please post here.
Then reply to the bug report mail of VB-101936 and add more information, such new information will be added to your bug report. -
@justdaj said in SSL Certificate information incorrect:
me wonder if the dialog box is showing a cached date/time of expiry.
If I use a Vivaldi Private Window the expiry date correctly shows February next year. Using FF also shows the correct expiry date.
HTTPS connections can be kept open, even if inactive, for some time, depending on the server's configuration and Chromium's need to release network sockets, and I guess clearing certain kinds data in Chromium will close connections, too.
The certificate is only checked when the TLS Session is established, in the first connection, and is used until the server refuses to accept it. So, when the certificate was updated, the server should have closed all open connections and invalidated all sessions..
The Private Window always uses new connections and TLS Sessions (it does not reuse currently open ones, because that could be used for tracking).
-
The SSL was renewed about a week ago. The PC had been rebooted a few times. I even rebooted the server yesterday, but it had made no difference.
Clearing the cache on the PC fixed it, but not the ultimate solution I would guess. I will keep an eye on future expirations
-
There are several ways for servers to store and share TLS Sessions, IIRC there is a mode that shares them (encrypted) with multiple servers in a cluster, and IIRC there is a way for the client to cache the whole encrypted thing and send it to the server when it connects (which helps when there are many servers).
The only way to avoid using a session for an expired certificate is that after a certificate renewal the server refuses to accept sessions that was created before the renewal (e.g. by destroying the encryption key used to encrypt sessions). That is not something that can really be enforced by Vivaldi and other clients, they reuse sessions until they are no longer accepted by the server.
Essentially, this is a server issue, and not really a client issue.
-
Hi,
Following this post, i can confirm that Chrome does no longer use the OS certificate store.
I'm pretty sure that should impact the way Chrome store the public certificate of the website and the negociated keys.I had seen the described bug of this thread too. I think the time match the time of the thread.
For me this bug is currently corrected, expired certificates seems renewed.
A fix must have passed during an update.I have currently the need to refresh a certificate (made by me) for development purpose, without waiting the expiration and came across this thread.
I think it can be closed.
PS : The time of the search and the writing, my certificate has renewed itself. Just having to wait.
-
This post is deleted!
