Can't connect to SSL website on vivaldi only (other browsers all work)
-
I've got a site which works on every other browser I've tried, but has a connection error on vivaldi, which says that the "connection to the site is not secure" -- but the SSL cert is good for another month. It's a Let's Encrypt certificate on a VPS I control.
Does Vivaldi work well with Let's Encrypt certs in general? Is there anything special I need to do to get it to accept them?
Thanks!
(This issue occurs on both MacOS and Linux btw)
-
@ejh Hi, do you have a link to this site?
You need to know the details of the error message. It will say on the error page. For instance
NET::ERR_CERT_AUTHORITY_INVALID
is the actual error.You can click this error message to view the cert.
Example: https://untrusted-root.badssl.comYou can click the Site Info button and view the certificate.
Does Vivaldi work well with Let's Encrypt certs in general?
Vivaldi has no problems with LetsEncrypt certs.
All Chromium browsers use the OS certificate truststore and LetsEncrypt certs are distributed globally. -
Vivaldi and Firefox uses Online Certificate Status Protocol (OCSP), to ask the issuer if the certificate has been revoked. Chrome does not use this protocol. This is likely why you are seeing different results.
You can check if a certificate has been revoked through OCSP or CSR, or has other issues using SSLLab’s Server Test.
-
SSL Labs says the server is fine.
https://www.ssllabs.com/ssltest/analyze.html?d=gdangus.com
I control this server so I'm very open to the possibility that the server is the problem and needs to be fixed, but since I can't duplicate the problem in any other context than Vivaldi visiting it, I thought I'd better rule out Vivaldi before filing a bug report against the software it's running (which is Narrowlink).
-
@ejh I am unable to reach the HTTPS port (443) of that site from two entirely different networks. I get a Connection Reset error.
I am able to reach the unencrypted HTTP port (80) on that server, including when just pasting the hostname in the address bar and clicking enter (which means that the HTTPS-first test fails, so falling back to HTTP)
I am also seeing the same thing in Chrome 126 and Edge 126
This indicates that the HTTPS server is not configured correctly in some fashion.
I notice an interesting thing about the ssllabs analysis; It does not test with the current configuration Chromium TLS, which includes post-quantum-crypto handshake details, and there are servers (and "hidden" intermediate network "security" scanner devices) that break when receiving such a handshake.
That seems to be the case with your server. My main suggestion would be to update it to a TLS 1.3-supporting version that also supports Post-Quantum crypto (aka Kyber).
Alternatively, you could disable (as I suspect you have done in your other Chromium-based browsers) the temporary flag chrome://flags/#enable-tls13-kyber .
-
I haven't done anything special disabling quantum crypto in my copy of Chromium, but it is slightly old...
Downloading the latest version of Chromium gives me the exact same error as I was seeing on Vivaldi
Love it when perfectly valid SSL on Monday becomes a 100% unreachable site on Tuesday because the browser changed
But being able to duplicate the problem on a non-Vivaldi browser is very helpful and takes Vivaldi out of the equation. Thank you!
-
@ejh Actually, I am not sure you can call the server "perfectly valid", as according to the TLS specs it SHOULD have had no problem with Post-Quantum crypto handshakes. The new handshakes are longer than the previously used handshake messages, but the specification allows for records that are in the megabyte class, including the initial message(s), but I seem to remember seeing reports about server requiring those messages to fit inside a single TLS packet record (which is in the dozens kilobyte area), which is a violation of the standard.
-
Well, no browser except for the latest Chromium (and therefore Vivaldi) has a problem with it, and SSL test sites I tried, including the one recommended in this thread, said it was valid.
But obviously "the latest Chromium has a problem with it" is a big issue that needs to be addressed. You can't just not be valid to Chromium-based browsers, that's not an option.
I'll file a bug with Narrowlink.
-
@ejh Chromium/Google and others are very focused on preparing and testing various solutions to secure TLS encryption against post-Quantum attacks. See e.g. https://blog.chromium.org/2024/05/advancing-our-amazing-bet-on-asymmetric.html
-
Btw, I reported the bug to Narrowlink and it was fixes in less than a day. Thanks for the help figuring it out!
-
@yngve Long read, and mostly over my head! But still informative... Thanks!