[cp-global] cryptoparty.in and SSL

Kai Engert kaie at kuix.de
Mon Mar 10 21:59:56 GMT 2014

On So, 2014-03-09 at 01:10 +0100, ml at enteig.net wrote: 
> there are reports that https://cryptoparty.in does not load in some
> configurations of browsers.
> If you cannot reach https://cryptoparty.in please report this to – I
> don't know, I guess I can collect and sort it before forwarding to the
> admins – me <ml at enteig.net>.

It seems the cryptoparty.in domain has been configured to use HSTS. 

That's a server side mechanism, that requests the client to remember
that a site is able to use https, and refuse any attempt to load
plaintext http.

Accessing https://cryptoparty.in triggers a redirect to the plaintext
address http://www.cryptoparty.in

You can see it yourself e.g. using
$ curl --head https://cryptoparty.in
HTTP/1.1 301 Moved Permanently
Location: http://www.cryptoparty.in/

You should change the configuration to redirect to
https://www.cryptoparty.in/ in order to avoid problems with HSTS [1].

It's possible the above combination of server side configuration is
causing the problems. Don't redirect from https to http.

Another potential issue, the server uses the SNI [2] feature.
That's a modern variation of the SSL/TLS handshake, that allows to host
multiple domains on a single TLS server port.

SNI requires a modern browser.

In addition, SNI is incompatible with SSL v2. Most browsers should have
SSL v2 disabled by default.

If you experience a server error, mentioning the certificate being valid
only for *.informatick.net, did you reenable SSL v2? (Don't do that, SSL
v2 is broken.)


[1] HSTS: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
[2] SNI: http://en.wikipedia.org/wiki/Server_Name_Indication

More information about the global mailing list