Closed
Bug 1361231
Opened 8 years ago
Closed 8 years ago
Secure Connection Failed for https://cloudicweb.nhi.gov.tw/ (Taiwan NHI IC card system)
Categories
(Web Compatibility :: Site Reports, defect)
Web Compatibility
Site Reports
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: timdream, Assigned: etsai)
References
()
Details
(Whiteboard: [needscontact])
Attachments
(1 file)
|
3.99 KB,
text/plain
|
Details |
On Firefox 53 the error code is SEC_ERROR_BAD_SIGNATURE
On Nightly it says SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED (log attached)
https://cloudicweb.nhi.gov.tw/cloudic/system/Login.aspx
https://www.ssllabs.com/ssltest/analyze.html?d=cloudicweb.nhi.gov.tw
This is a website for enabling online login for the NHI (National Health Insurance) IC card. The card can then be used to file income tax online, which should be done this month.
Eddie, are you still working on tech eva in some capacity?
Flags: needinfo?(elin)
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
Also, unlike bug 1139756, the site can be accessed with Chrome without any warning UI.
|
||
Comment 3•8 years ago
|
||
etsai can help with outreach here, but would you be able to provide what the recommended fix for the site should be, Tim?
Flags: needinfo?(timdream)
Whiteboard: [needscontact]
|
|
Reporter | |
Comment 4•8 years ago
|
||
(In reply to Mike Taylor [:miketaylr] from comment #3)
> etsai can help with outreach here, but would you be able to provide what the
> recommended fix for the site should be, Tim?
I am not qualified to answer this question that involves proper the SSL/CA security design decisions. Maybe :emk would know?
Flags: needinfo?(timdream)
Flags: needinfo?(elin)
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → etsai
|
||
Comment 6•8 years ago
|
||
I don't know either. Honestly, I have no idea why the connection fails.
Flags: needinfo?(VYV03354)
|
|
||
Comment 7•8 years ago
|
||
I tried to debug this
$ vfyserv cloudicweb.nhi.gov.tw
Connecting to host cloudicweb.nhi.gov.tw (addr 210.69.214.203) on port 443
PROBLEM WITH THE CERT CHAIN:
CERT 1. OU=政府憑證管理中心,O=行政院,C=TW [Certificate Authority]:
ERROR -8179: Peer's Certificate issuer is not recognized.
O=Government Root Certification Authority,C=TW
Error in function PR_Write: -8179
- Peer's Certificate issuer is not recognized.
Does it mean that the CA is not recognized? I see Taiwan GRCA in the database though. Maybe it's using a new CA, like the one in bug 1065896?
OK, so I imported the new root certificate from bug 1065896 and the reported website works again.
See Also: → 1065896
|
|
Assignee | |
Comment 8•8 years ago
|
||
I receive the reply from nhi's outsourcing company, their official answer is what they can do now is sending you a new CA. They're aware of the CA's problem in Firefox browser but I think ball is in our court now.
|
|
||
Comment 9•8 years ago
|
||
Thanks, Eric.
According to Aaron and bug 1065896, both Mozilla and Taiwan GRCA are working on resolving this issue. Once the new root are imported into Firefox this should be fixed.
|
|
||
Comment 10•8 years ago
|
||
The server needs to include this intermediate certificate https://crt.sh/?id=10926918 in the TLS handshake (if you look at the ssllabs report under "Certification Paths" (click "Click here to expand"), it's #3, which required an extra download to fetch. Chrome does that download. Firefox does not.)
|
|
||
Comment 11•8 years ago
|
||
Note the reported website had reverted their certificate to the older version. Firefox users should have no problem connect to it now.
|
|
||
Comment 12•8 years ago
|
||
Looks like everything is done here. Can this be closed?
|
||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
||
Updated•6 years ago
|
Product: Tech Evangelism → Web Compatibility
You need to log in
before you can comment on or make changes to this bug.
Description
•