Slashdot Mirror

← Back to Stories (view on slashdot.org)

Verisign Certificate Expiration Causes Multiple Problems

Posted by michael on from the rot-at-the-root dept.

We had to do a little sleuthing today. Many readers wrote in with problems that turned out to be related. A certificate which Verisign used for signing SSL certificates has expired. When applications which depend on that certificate try to make an SSL connection, they fail and try to access crl.verisign.com, the certificate revocation list server. This has effectively DOS'ed that site, and Verisign has now updated the DNS record for that address to include several non-routable addresses, reducing the load on their servers. Some applications affected include older Internet Explorer browsers, Java, and Norton Antivirus (which may manifest itself as Microsoft Word being very slow to start). Hope this helps a few people, and if you have other apps with problems, please post about them below.

17 of 360 comments (clear)

  1. Re:Who needs them? by grub · · Score: 5, Informative


    Self-signed certificates are fine for Joe-Hobby website, but when you're about to enter a credit card number online it's assuring to see that the SSL cert is signed by a real organization and not "l33t_d00d@hotmail.com"

    --
    Trolling is a art,
  2. If people are getting errors coming to your site.. by nharmon · · Score: 5, Informative

    saying that your certificate is expired or not yet valid...except that it is...you need to go here.

  3. Fixed this today... by heironymouscoward · · Score: 4, Informative

    On one of our customers' systems (IIS). Turns out they had already installed the new Verisign intermediate certificate but had not removed the old one. IIS happily used the old one...

    Lesson: if the certificate expired yesterday, remove it from IIS and then reboot the thing.

    --
    Ceci n'est pas une signature
  4. Windows Explorer by thedillybar · · Score: 4, Informative
    I noticed this happening yesterday on my WinXP machine. After clicking Start->Programs and right-clicking on any icon, c:\windows\explorer.exe attempts to connect to crl.verisign.com [198.49.161.200], port 80.
    As the article states, this also resolves to some unroutable IPs:
    198.49.161.205
    198.49.161.206
    10.0.0.1
    10.0.0.2
    10.0.0.3
    64.94.110.11
    198.49.161.200
    Windows Explorer also appears to freeze (at least temporarily) if a firewall (or presumably a lack of Internet connection) prevents this from being made. It's possible, however, that if crl.verisign.com will not resolve, it will not freeze as it will if it resolves but cannot connect. Unfortunately, this is still a problem even if you have an Internet connection because of the stability (or lack thereof) of the Verisign site.
  5. Oracle notified me of this yesterday... by Perrin7 · · Score: 3, Informative

    I received the following email yesterday: Oracle Corporation has been notified by Sun that the set of VeriSign Class 2 and Class 3 Certificates used in Oracle products will be expiring on January 7, 2004. Please review MetaLink Doc 260332.1: Expiration of VeriSign Class 2/Class 3 Certificates on Jan 7,2004 for detail information.

  6. Verisign isn't the only game in town by justMichael · · Score: 4, Informative

    I use Instant SSL cheap, good service and I haven't seen any compatibility issues.

    1. Re:Verisign isn't the only game in town by justMichael · · Score: 3, Informative

      "Trusted by 99.3% of current Internet users"

      Nope, it's a funny number, but it seems to be some kind if industry norm.

      I really don't think I should disclose how big my transactions are to this company. It's really none of their business.

      Actually you don't. What this does is provides a sort of insurance to the consumer. See here.

      It's just peace of mind for the consumer, that says that if I/you rip them off as an InstantSSL customer, InstantSSL will guarantee any fraudulant transaction up to the amount of your cert.

  7. Workaround to Explorer problems by BigJavaGeek · · Score: 5, Informative

    Because of the crl problems, Explorer has been acting slowly doing some seemingly unrelated activities. Copying or right-clicking on folders often is followed by a several second hang. To workaround, deselect "Check for publisher's certificate revocation" under the Advanced setting for IE (even though it is not IE running, that's where the setting should be changed). After this, no more Explorer hangs. Hope this helps someone. If you know why Explorer is checking crls for anything when doing a copy operation on files, please post.

    1. Re:Workaround to Explorer problems by JoeShmoe · · Score: 4, Informative

      I think you missed something in the blurb about this problem. The problem is Norton Antivirus, not Explorer. Norton is probably doing some kind of check on its virus signature files by validating their signature. This function is probably being handled by IE as the default browser function, which is getting hung up on the unroutable revocation site.

      So, to clarify, when you try to do a file operation, like copy, Norton intercepts the operation so it can check the file for a virus, then gets itself held up while waiting for IE to tell it if the signature is valid so it can check for that virus. End result is that Explorer never gets an answer from Norton and the operation hangs. Ditto for Word and other applications Norton watches closely.

      I too had this same problem on one of two Dell laptops. One used the default McAfee ScanShield that came with it, the other had been reloaded with Norton Anti-Virus. That machine had all sorts of crazy errors, such as Word hanging during opening, hanging when you right-clicked a file, hanging when you tried copying files.

      The system also had ooodles of pending updates from Microsoft that had been downloaded but not installed. I'm willing to bet one of them was a root server update or similar. Of course, the problem could be on Norton's end, meaning they need to update the security cert on their server? I'm not sure exactly how it works.

      - JoeShmoe
      .

      --
      -- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
  8. Re:Who needs them? by LostCluster · · Score: 5, Informative

    There's software out there so anyone can sign a certificate. Who needs the suits at Verisign?

    Because a cert signed by you is useful for nothing more than "This conversation is encrypted, and I say I'm me." A cert signed by a Verisign translates to "This conversation is encrypted, and Verisign says I'm me."

    What good is that? Well, not much among geeks, we don't trust Verisign further than we can throw them, but we're depending on them to keep this silly DNS thing going. However, web browsers are set with a default list of trusted "Certificate Authorites" who are allowed to sign certificates. Companies who are on those lists can sign a certificate that'll work without errors, anybody else's certificate will prompt a message indicating that the name's right, the time's valid, but the issuing authority isn't on the list of authorities you trust. (You can manually add a new authority if you want... but try convincing users to do that!)

    The problem is, so many cheapskates have now signed their own certificate that the bogus authority error isn't stopping users since it's so common when nothing's really wrong. As a result, we're seeing a lot of look alike sites use SSL to get the padlock to come up, and users not being phased by the red-flag alerts that this doesn't seem to be the site they think it is.

  9. Re:Also problems with Oracle by BMarkmann · · Score: 3, Informative

    It can be found here.

  10. Re:Who needs them? by KlomDark · · Score: 5, Informative

    Uh, Thawte is owned by Verisign, smart guy...

    But they are a lot cheaper for some reason... Go figure...

  11. Its happening on most servers. by Steepe · · Score: 5, Informative

    Very nice of them to.. I don't know.. let someone know before today. We spent a ton of staff time this morning trying to figure out why we could connect to our servers but not the payment engines via ssl. 4 hours later we figured it out.

    Couple of nice links.

    http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc= fs alert%2F57436
    http://www.verisign.com/support/ven dors/exp-gsid-s sl.html

    --
    Just three more hours seapeople and you can finally take me away from this crappy God Damned planet full of hippies
  12. CA certs in Java by VC · · Score: 3, Informative

    There is a file in the JDK called cacerts.
    (find . -name cacerts is your friend), this contains the certificates Java uses when initiating ssl connections.
    As of yesterday Sun was still shipping java with the expired 3a certificate.
    The way to include the new 3a certificate is to use the keytool command.
    The format is somthing like: keytool -v -keystore cacerts -import newcert.pem
    The default password for java's cacerts file is "changeit"
    VC
    ps how many geek points do i get for fixing this last week?

    --
    Official GOD FAQ.
  13. Re:Who needs them? by Ben+Hutchings · · Score: 4, Informative

    Self-certificates are worthless except when distributed through an existing secure channel. Without a proper certificate, all I know is I'm encrypting the session key with someone's public key, but I don't know whose it is. I might as well send the contents in the clear.

  14. Re:Who needs them? by Anonymous Coward · · Score: 3, Informative

    It is easier and less detectable to sniff a connection than it is to intercept and modify all data flowing over the connection. Thus a self signed cert is better than nothing, but it does indeed have obvious security failings.

  15. Re:Not the first Verisign CRL certificate problem by meat.curtains · · Score: 3, Informative

    EVERY SINGLE CUSTOMER who renewed their Global/Secure Site Pro SSL certs within the last thirteen months were told, when they received their certs that they also had to update their intermediates. They were given an address to get the intermediate, and instructions. They were told this would happen.

    This is not true, at least for Verisign resellers, like Trustwise in the UK. I renewed two global certs 5 months ago and was not told.