iTLS-Enso icon indicating copy to clipboard operation
iTLS-Enso copied to clipboard
verified publisher icon SKGleba

Support for ZeroSSL CA

Open huckleberrypie opened this issue 2 years ago • 4 comments

I've been getting cert warnings for sites using that CA lately, like for example strawberryforum.org.

huckleberrypie avatar May 18 '23 22:05 huckleberrypie

Here's the CA I ripped from the site, or so it appears: zerossl_ca.zip

huckleberrypie avatar May 19 '23 09:05 huckleberrypie

Anyone?

huckleberrypie avatar May 28 '23 10:05 huckleberrypie

Can You show the error on vita and press on "show certificate", show that too?

If You see the same as I do, ISRG X1 then:

There is no problem with Vita or iTLS, this is an actual issue with the website/server/hosting that can be only solved by the forum admins.

This forum has misconfigured SSL for access without www. in front: https://www.ssllabs.com/ssltest/analyze.html?d=strawberryforum.org

Then when accessing it with www. in front, it works: https://www.ssllabs.com/ssltest/analyze.html?d=www.strawberryforum.org

So the error message You see about mismatched root certificate is correct and the desired behavior of the browser, ensuring safety, in case any SSL manipulation takes place, I actually had the same info on PC.

Pressing "Yes/Ok" on that error screen, just redirected me to www.strawberryforum.org and I can browse the website just fine without any next warnings after the first one also.

You can also just open the website via www.strawberryforum.org, since that's where the strawberryforum.org redirects to anyway, but without broken SSL config on their server.

Note for the future issues: Only those root CA certificates should be added, that are from the official, direct, trusted source and were provided directly from a reputable and world-wide known company.

Currently, root certificates are latest original OFW + Mozilla root CA certificates list: https://github.com/mozilla/gecko-dev/blob/master/security/nss/lib/ckfw/builtins/certdata.txt

This ensures that we trust only those Organizations, that Sony trusts and also those that Mozilla/Firefox trusts.

Adding any root CA from unknown, not public source introduces a serious security risk.

If You can't provide a link to where You got the certificate from, publicly or otherwise proven-to-be-safe organization such as Mozilla, GlobalTrust, VeriSign, LetsEncrypt or similar, especially when the certificate doesn't provide ANY verifiable source of the certificate, then it should never be included unless proven safe.

olokos avatar Nov 02 '23 01:11 olokos

If You insist that You want to try the certificate anyway, don't care about any risks involved, feel free to do so, it doesn't require rebuilding VPK at all.

Here's how:

  • get vitaRW ->start vitaRW
  • Go to vs0:/data/external/cert/CA_LIST.cer add the certificate You want to the bottom of the file
  • Save file/copy file to vita
  • reboot

At this point, whatever certificate You added to the bottom, as long as it keeps the same syntax as previous ones in the file, it's going to be used by Vita.

But IMO, it's just going to be a waste of time, since I strongly think it's just a simple case of webserver misconfiguration / being outdated and a workaround for this website is just using www. in front.

I'd say this issue can be closed, but if You find an official, first party, first hand place where ZeroTrust shares their official root CA certificate, then please do open a new issue, but I imagine if such certificate exists, it's already going to be included in iTLS-Enso 3.2.1 anyway, especially since the website You gave as an example, doesn't use any ZeroTrust SSL certificate, at all.

olokos avatar Nov 02 '23 01:11 olokos