Expired/unrecognized CA certs?

I'm having trouble with my bank site.  The login page gives
me an SSL 
failed warning in both Konqueror (for about a month) and now
Firefox as 
well.  I don't seem to see any relevant Gentoo bugs on this
yet, but 
would like to confirm it's not a MitM attack before I file
one.  It 
doesn't seem to happen at other SSL sites, so it doesn't
appear to be a 
general SSL error, tho it might be one with that particular
type of 
certificate.

The site (login isn't necessary, the error comes on the
initial connect):

https://onlineid.bankofamerica.com/cgi-b
in/sso.login.controller?state=AZ

Konqueror 3.5.7's error:

The server failed the authenticity test (<site
domain>).

Details gives me this:

Certificate signing authority is unknown or invalid.

The issuer appears to be VeriSign, Inc.  Common name:
VeriSign Class 3 
Secure Server CA.  The certificate is fairly new, valid from
Monday, 20 
August 2007, 00:00:00 GMT.

In case anyone wishes to verify the specifics, Konqueror
lists the serial 
number as (spaces added for readability) 1100 7197 7289 5102
6319 8066 
3729 4699 1776 610, MD5 digest as 
9B:B9B:12:3D:
B6:99:19:B1:99:6E:1C:9F:CE:7C:E5, Cypher RC4-SHA, SSL 
version TLSv1/SSLv3, 128-bit used of 128 bit cipher.

I thought it was just Konqueror strangeness until Firefox
(which worked 
at first, after Konqueror quit) started protesting as well.

Firefox:

Unable to verifiy the identity of <site> as a trusted
site.  Possible 
reasons for this error [etc...]

Examine Certificate lists similar details:

Serial in hex this time as:
52:CF:17:7A:4E:1C:0C:E4:7B:A6:3C:E0:0BC:03:62

MD5 fingerprint the same, same issuer, VeriSign Class 3
Secure Server CA, 
etc, so it appears to be the same cert, with the same
problem.

So what's up?  Anyone else having problems?  You should be
able to check 
the SSL even without a login.   They do seem to be only with
the latest 
version, at least of Firefox, since I didn't have issues
with it until I 
updated just a couple days ago.

Again, most secure sites work just fine, but it could still
be one of the 
SSL libraries.

BTW, I have bills coming due that it'd be nice to be able to
pay, so it'd 
in turn be nice to at least get a confirmation from others
that the 
cert's not compromised.  I can (well, should be able to,
I've not 
actually tried, but I get the option presented) still accept
it manually 
once I'm sure it's not a MitM attack.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." 
Richard Stallman

-- 
gentoo-desktopgentoo.org mailing list

Duncan wrote:
> The site (login isn't necessary, the error comes on the
initial connect):
> 
> https://onlineid.bankofamerica.com/cgi-b
in/sso.login.controller?state=AZ

I also get the error from that site.

-- 
Randy Barlow
http://electronsweatshop
.com
-- 
gentoo-desktopgentoo.org mailing list

ON WEDNESDAY 26 SEPTEMBER 2007 1:17:34 PM DUNCAN WROTE:
> DUNCAN <1I5T5.DUNCANCOX.NET> POSTED
PAN.2007.09.26.16.52.41COX.NET,
>
> EXCERPTED BELOW, ON  WED, 26 SEP 2007 16:52:42 +0000:
> > I'M HAVING TROUBLE WITH MY BANK SITE.  THE LOGIN
PAGE GIVES ME AN SSL
> > FAILED WARNING IN BOTH KONQUEROR (FOR ABOUT A
MONTH) AND NOW FIREFOX AS
> > WELL.
>

I BOOTED UP MY XP VM AND I DIDN'T GET THE ERROR, BUT I DO
GET IT IN KONQ. IF 
IT HELPS HERE'S THE SITE WHERE YOU CAN DOWNLOAD THE LATEST
VERISIGN ROOT 
CERTIFICATES, UP TO YOU IF YOU WANT TO TRUST THAT TO IMPORT
THEM OR NOT....

HTTP://WWW.VERISIGN.COM/SUPPORT/ROOTS.HTML

TODD

Please follow

https://b
ugs.kde.org/show_bug.cgi?id=147491


Carsten