在Mac OS X 10.13 High Sierra上,我正在访问一个网站https://www.saintanneshospital.org,Safari和Firefox告诉我证书已被撤销;但是,当我检查证书时,它显然是有效的。
这仅在我的计算机上发生,并且仅在Safari和Firefox上发生。
$ curl --insecure -v https://www.saintanneshospital.org 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
* subject: OU=Domain Control Validated; CN=steward.org
* start date: Oct 20 20:10:01 2017 GMT
* expire date: Sep 21 18:03:03 2020 GMT
* issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fb0da805400)
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* Connection #0 to host www.saintanneshospital.org left intact
调试Safari和FF认为该证书被撤销的最佳方法是什么,即使它是有效的?
我重新启动了计算机,尝试了VPN,并确认受影响的站点没有本地/ etc / hosts条目。
答案 0 :(得分:2)
您可以查看Firefox和其他浏览器中的证书链。证书链似乎有效,但有一个(可能)不受信任的证书:
根证书“Go Daddy Class 2 Certification Authority”使用SHA-1进行散列,Google Chrome,Firefox和Safari等浏览器不再信任SHA-1证书。可以使用SHA-2根证书重新颁发https://www.saintanneshospital.org/的证书。
请参阅Google Security Blog - SHA-1 Certificates in Chrome,Mozilla Security Blog - Phasing Out SHA-1 on the Public Web和Apple Support - Move to SHA-256 signed certificates to avoid connection failures。
该证书也是为网站steward.org颁发的,而不是www.saintanneshospital.org。