Telecom Italia (ISP) and certificate recognition issues

My domain is: teatroscientifico.com
My web server is (include version): 2.4.10-10+deb8u8
The operating system my web server runs on is (include version): Release: 8.5 - Codename: jessie

Hi friends, happened to me a curious thing:

only with Internet connection Telecom Italia Business ((for the moment), and (for the moment too) only for one domain (teatroscientifico.com) Firefox seem unable to fetch the the right certificate. And this is manifested with the traditional Firefox warnng of insecure navigation.
If I run Firefox with a different ISP the problem goes.

Have you still had similar situations?

many thanks

Davide
Italy

The problem is NOT with the cert, nor the server config:

openssl s_client -connect teatroscientifico.com:443 -servername teatroscientifico.com
and
openssl s_client -connect teatroscientifico.com:443 -servername none

both return a certificate with "subject=/CN=server.sio4.org"
and SAN =

DNS Name=teatroscientifico.com

DNS Name=www.teatroscientifico.com

My only advice is to add server cipher order preference to minimize the possibility of weak/insecure cipher negotiation (or remove all weak/insecure ciphers).

Ghh… could you explain better for me (that I’m little more than a newbie…) what you mean by your hints? How I could change the server cipher order?

Still relatively to telecom, today I felt the assistance and the first level technician confirmed me a geographic problem to their network, but did not tell me anything more…

Many thanks for your kind help Rudy!

Without knowing which web server is in use:

I can only guess, it might be Apache.

So, for Apache see: "SSLHonorCipherOrder On"
And you can also review this page for more detail: https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html

And you can check your system anytime at: https://www.ssllabs.com/ssltest/

…hoops, sorry, Apache2! :innocent:

Many thanks fro your hints, very very useful!!

Ciao!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.