1

I am wondering whether Extended Validation (EV) Certificate 'green bar' on the web browser is affected by Cipher Suites. I can't find seem to find a reference that says that apart from this answer. Though i do find weird that one of the website that have EV Certificate is properly shown in green in Mobile Browser while the other is not.

The website that have green bar have the following cipher suites:

            PORT    STATE SERVICE REASON
            443/tcp open  https   syn-ack ttl 117
            | ssl-enum-ciphers: 
            |   TLSv1.0: 
            |     ciphers: 
            |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
            |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
            |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
            |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
            |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
            |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
            |     compressors: 
            |       NULL
            |     cipher preference: server
            |   TLSv1.1: 
            |     ciphers: 
            |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
            |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
            |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
            |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
            |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
            |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
            |     compressors: 
            |       NULL
            |     cipher preference: server
            |   TLSv1.2: 
            |     ciphers: 
            |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
            |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
            |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
            |       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
            |       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
            |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
            |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
            |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
            |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
            |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
            |       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
            |       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
            |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
            |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
            |     compressors: 
            |       NULL
            |     cipher preference: server
            |_  least strength: A

While the other only have these:

            PORT    STATE SERVICE REASON
            443/tcp open  https   syn-ack ttl 119
            | ssl-enum-ciphers: 
            |   TLSv1.2: 
            |     ciphers: 
            |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
            |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
            |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
            |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
            |     compressors: 
            |       NULL
            |     cipher preference: server
            |_  least strength: A

The cipher checking is done using NMap. My question is whether cipher suite selection affect the 'green bar' in web browser or perhaps anything else in play? Thank you.

Bagus Tesa
  • 113
  • 5
  • The ciphers should not affect the display of the green bar. But so far you only claim that both have EV certificates but only one shows a green bar without having anything to reproduce this claim. Maybe you should provide the URL in question? – Steffen Ullrich Oct 26 '17 at 02:20
  • @SteffenUllrich, sent in chat – Bagus Tesa Oct 26 '17 at 02:49
  • 1
    If server has multiple certs with different key types/algorithms then the choice of ciphersuite _can_ in general affect the choice of cert, but not for the lists you posted which both use an RSA cert in all cases. – dave_thompson_085 Oct 26 '17 at 04:53

1 Answers1

3

Is EV (Extended Validation) Certificate Green Bar Affected by Available Cipher Suites?

No, it's not. What you have here is a different problem caused by an inconsistent setup of the site in question. Details follow below.

Based on your feedback about the domain names in chat I've checked the site in question with different systems and it shows inconsistent behavior: on some systems it returns a non-EV certificate issued by "GlobalSign Organization Validation CA - SHA256 - G2" and on other systems an EV certificate issued by "GlobalSign Extended Validation CA - SHA256 - G3".

Looking at the difference of these systems I realized that my mobile version was using IPv6 while my desktop was using IPv4 to access the site. And in fact, looking at the report for this domain by SSLLabs gives you an IPv4 and IPv6 address for this site, where the IPv4 address is serving the EV certificate while the IPv6 address is serving the non-EV certificate.

One can reproduce this on an IPv6 enabled system with nmap. For IPv4:

$ nmap -p443 -script=ssl-cert your.hostname.here 
...
| Issuer: commonName=GlobalSign Extended Validation CA - SHA256 - G3/organizationName=GlobalSign nv-sa/countryName=BE

While with IPv6:

$ nmap -6 -p443 -script=ssl-cert your.hostname.here 
...
| Issuer: commonName=GlobalSign Organization Validation CA - SHA256 - G2/organizationName=GlobalSign nv-sa/countryName=BE

In summary: the green bar is correct because the site does not serve an EV certificate for the mobile system using IPv6 but it serves the EV certificate only when accessed with IPv4.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424