3

My website, here, is on my server (Debian Wheezy, Apache 2.4.10 on the testing repos). I configured Apache myself and blocked all attackable ciphers after reading many websites discussing those problems, and I have to say, this is not my specialty, as I'm a physicist. So please excuse my ignorance if I do something obviously wrong.

My cipher configuration in Apache is this:

SSLProtocol all -SSLv2 -SSLv3
SSLCompression off
SSLCipherSuite AES128+EECDH:AES128+EDH

And I tried an alternative explicit cipher config, which also gave the same problem:

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 ECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS -RC4"

So the problem is that Google Chrome (Version 42.0.2311.90 m) is giving an exclamation triangle when I open my website:

Google chrome displaying security problem

On the other hand, in SSLLabs, I get a very good ranking with no comments (though an explanation for the cipher 80% would be nice. What should I do to get a 90+%?)

SSL Ranking of my website

So my question is: How can I get google chrome (and probably other browsers) to stop complaining with that triangle?

If you require any additional information, please ask.

The Quantum Physicist
  • 656
  • 2
  • 11
  • 25

1 Answers1

1

Regarding your problem the answer is here:

https://forum.startcom.org/viewtopic.php?p=21511

But your site looks ok on my chrome browser with the same version: enter image description here

You should clear the cache? How do I clear Chrome's SSL cache? https://productforums.google.com/forum/#!topic/chrome/z3biAPhNVDw

Community
  • 1
Sacx
  • 2,541
  • 15
  • 13
  • Thank you for the response. The link you provided claims that I would have SHA1 signature, which is not true. I have an SHA256, and I have another site with definitely SHA256 and it also gives the triangle. What should I do to fix the certificates? – The Quantum Physicist Apr 21 '15 at 17:19
  • Try to refresh the page. – Sacx Apr 21 '15 at 17:20
  • I have the same version: 42.0.2311.90 and is everything ok with your site, Please flush the cache etc. – Sacx Apr 21 '15 at 17:23
  • Try in icognito mode to see if your https icon is green. – Sacx Apr 21 '15 at 17:31
  • 1
    I'm trying to clear my cache but it's not working. I tried incognito to and it still shows the triangle. But I think you're right, I tried on another computer and I got that triangle removed... it's a very stupid caching system. Thank you for your time. – The Quantum Physicist Apr 21 '15 at 17:37
  • It is most likely a sha1 issue. Look at the whole certificate chain by double clicking on that "Certificate Information" link in above screenshot. It's possible your cert is sha256 but a parent cert is sha1. They all need to be sha256 except the top level one which doesn't matter (as its explicitly trusted by your computer). It's possible there are two paths up to a trusted cert and your computer is picking one which has a sha1 cert in it for some reason. So compare the cert paths on your computer with one which shows it as green. – Barry Pollard Apr 23 '15 at 06:02
  • It wasn't. Everything was ok, but his browser cached the old certificate. – Sacx Apr 23 '15 at 07:31