Error message: The SSL connection could not be established, CERTIFICATE_VERIFY_FAILED
Check all latest vulnerability & misconfiguration
- Certificate issuer, validity, algorithm used to sign
- Protocol details, cipher suites, handshake simulation
Check if a chain certificate is implemented correctly
Definition
- Root certificates sign intermediate certificates
- Intermediate certificates serve as a link between the Certificate Authority and the website certificate
- When a user browses to the website protected by the SSL certificate via secure connection, the browser initiates the verification of the certificate
- Then, follows the chain of trust up to the root certificate embedded in it
- Intermediate certificate(s) should be installed on the server, along with the end-entity certificate, for the certificate to be recognized as a trusted one in all browsers.
If PayPal installed their server certificate for www.paypal.com without installing VeriSign’s Class 3 Extended Validation SSL SGC CA intermediate certificate, a web browser would give the certificate not trusted error.
ssl-certificate-not-trusted-error
Check Tools
Result will be shown in order as
- Server certificate (end-entity certificate) on the top
- Intermediate certificate(s) is listed after
Reference: how-to-check-ca-chain-installation
Verify the issue
Common causes of SSL errors on the client-side:
- The wrong date or time on the client device.
- An error with the browser configuration.
- A connection that is being intercepted by a third party.
Common causes of SSL errors on the server-side:
- A cipher suite mismatch.
- Cipher suite you set may not be supported by Android
https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=6.0&key=129 - Check this by SSL Labs by Qualys
- Cipher suite you set may not be supported by Android
- A protocol used by the client that isn’t supported by the server.
- For example, these are protocols set up/ not set up in a server
- A certificate that is incomplete, invalid, or expired
- If server certificate is incomplete, invalid, or expired, apparently you can’t access HTTPS to this server from any devices iOS, Android and Web
- But there is case where not server certificate but root/ intermediate certificate is expired, then maybe a certain device Android can’t access HTTPS
- For example, when you have 1 intermediate certificate is expired, then the certificate path can be as below
- When a certificate is expired, it can’t be extended. New certificate will be issued
- Expired certificate may cause Certificate Path untrusted, to fix this, expired certificate should be deleted
https://www.digicert.com/blog/impacts-of-root-certificate-expiration/
Path #2 causes “Missing intermediate certificate authority” in Android
https://developer.android.com/training/articles/security-ssl#MissingCa
Leave a Reply