Slashdot Mirror

← Back to Stories (view on slashdot.org)

Verisign Certificate Expiration Causes Multiple Problems

Posted by michael on from the rot-at-the-root dept.

We had to do a little sleuthing today. Many readers wrote in with problems that turned out to be related. A certificate which Verisign used for signing SSL certificates has expired. When applications which depend on that certificate try to make an SSL connection, they fail and try to access crl.verisign.com, the certificate revocation list server. This has effectively DOS'ed that site, and Verisign has now updated the DNS record for that address to include several non-routable addresses, reducing the load on their servers. Some applications affected include older Internet Explorer browsers, Java, and Norton Antivirus (which may manifest itself as Microsoft Word being very slow to start). Hope this helps a few people, and if you have other apps with problems, please post about them below.

11 of 360 comments (clear)

  1. Re:Who needs them? by grub · · Score: 5, Informative


    Self-signed certificates are fine for Joe-Hobby website, but when you're about to enter a credit card number online it's assuring to see that the SSL cert is signed by a real organization and not "l33t_d00d@hotmail.com"

    --
    Trolling is a art,
  2. If people are getting errors coming to your site.. by nharmon · · Score: 5, Informative

    saying that your certificate is expired or not yet valid...except that it is...you need to go here.

  3. Fixed this today... by heironymouscoward · · Score: 4, Informative

    On one of our customers' systems (IIS). Turns out they had already installed the new Verisign intermediate certificate but had not removed the old one. IIS happily used the old one...

    Lesson: if the certificate expired yesterday, remove it from IIS and then reboot the thing.

    --
    Ceci n'est pas une signature
  4. Windows Explorer by thedillybar · · Score: 4, Informative
    I noticed this happening yesterday on my WinXP machine. After clicking Start->Programs and right-clicking on any icon, c:\windows\explorer.exe attempts to connect to crl.verisign.com [198.49.161.200], port 80.
    As the article states, this also resolves to some unroutable IPs:
    198.49.161.205
    198.49.161.206
    10.0.0.1
    10.0.0.2
    10.0.0.3
    64.94.110.11
    198.49.161.200
    Windows Explorer also appears to freeze (at least temporarily) if a firewall (or presumably a lack of Internet connection) prevents this from being made. It's possible, however, that if crl.verisign.com will not resolve, it will not freeze as it will if it resolves but cannot connect. Unfortunately, this is still a problem even if you have an Internet connection because of the stability (or lack thereof) of the Verisign site.
  5. Verisign isn't the only game in town by justMichael · · Score: 4, Informative

    I use Instant SSL cheap, good service and I haven't seen any compatibility issues.

  6. Workaround to Explorer problems by BigJavaGeek · · Score: 5, Informative

    Because of the crl problems, Explorer has been acting slowly doing some seemingly unrelated activities. Copying or right-clicking on folders often is followed by a several second hang. To workaround, deselect "Check for publisher's certificate revocation" under the Advanced setting for IE (even though it is not IE running, that's where the setting should be changed). After this, no more Explorer hangs. Hope this helps someone. If you know why Explorer is checking crls for anything when doing a copy operation on files, please post.

    1. Re:Workaround to Explorer problems by JoeShmoe · · Score: 4, Informative

      I think you missed something in the blurb about this problem. The problem is Norton Antivirus, not Explorer. Norton is probably doing some kind of check on its virus signature files by validating their signature. This function is probably being handled by IE as the default browser function, which is getting hung up on the unroutable revocation site.

      So, to clarify, when you try to do a file operation, like copy, Norton intercepts the operation so it can check the file for a virus, then gets itself held up while waiting for IE to tell it if the signature is valid so it can check for that virus. End result is that Explorer never gets an answer from Norton and the operation hangs. Ditto for Word and other applications Norton watches closely.

      I too had this same problem on one of two Dell laptops. One used the default McAfee ScanShield that came with it, the other had been reloaded with Norton Anti-Virus. That machine had all sorts of crazy errors, such as Word hanging during opening, hanging when you right-clicked a file, hanging when you tried copying files.

      The system also had ooodles of pending updates from Microsoft that had been downloaded but not installed. I'm willing to bet one of them was a root server update or similar. Of course, the problem could be on Norton's end, meaning they need to update the security cert on their server? I'm not sure exactly how it works.

      - JoeShmoe
      .

      --
      -- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
  7. Re:Who needs them? by LostCluster · · Score: 5, Informative

    There's software out there so anyone can sign a certificate. Who needs the suits at Verisign?

    Because a cert signed by you is useful for nothing more than "This conversation is encrypted, and I say I'm me." A cert signed by a Verisign translates to "This conversation is encrypted, and Verisign says I'm me."

    What good is that? Well, not much among geeks, we don't trust Verisign further than we can throw them, but we're depending on them to keep this silly DNS thing going. However, web browsers are set with a default list of trusted "Certificate Authorites" who are allowed to sign certificates. Companies who are on those lists can sign a certificate that'll work without errors, anybody else's certificate will prompt a message indicating that the name's right, the time's valid, but the issuing authority isn't on the list of authorities you trust. (You can manually add a new authority if you want... but try convincing users to do that!)

    The problem is, so many cheapskates have now signed their own certificate that the bogus authority error isn't stopping users since it's so common when nothing's really wrong. As a result, we're seeing a lot of look alike sites use SSL to get the padlock to come up, and users not being phased by the red-flag alerts that this doesn't seem to be the site they think it is.

  8. Re:Who needs them? by KlomDark · · Score: 5, Informative

    Uh, Thawte is owned by Verisign, smart guy...

    But they are a lot cheaper for some reason... Go figure...

  9. Its happening on most servers. by Steepe · · Score: 5, Informative

    Very nice of them to.. I don't know.. let someone know before today. We spent a ton of staff time this morning trying to figure out why we could connect to our servers but not the payment engines via ssl. 4 hours later we figured it out.

    Couple of nice links.

    http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc= fs alert%2F57436
    http://www.verisign.com/support/ven dors/exp-gsid-s sl.html

    --
    Just three more hours seapeople and you can finally take me away from this crappy God Damned planet full of hippies
  10. Re:Who needs them? by Ben+Hutchings · · Score: 4, Informative

    Self-certificates are worthless except when distributed through an existing secure channel. Without a proper certificate, all I know is I'm encrypting the session key with someone's public key, but I don't know whose it is. I might as well send the contents in the clear.