Secure Connection Failed for https://cloudicweb.nhi.gov.tw/ (Taiwan NHI IC card system)

RESOLVED FIXED

Status

defect
--
blocker
RESOLVED FIXED
2 years ago
4 months ago

People

(Reporter: timdream, Assigned: etsai)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [needscontact], )

Attachments

(1 attachment)

On Firefox 53 the error code is SEC_ERROR_BAD_SIGNATURE
On Nightly it says SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED (log attached)

https://cloudicweb.nhi.gov.tw/cloudic/system/Login.aspx

https://www.ssllabs.com/ssltest/analyze.html?d=cloudicweb.nhi.gov.tw

This is a website for enabling online login for the NHI (National Health Insurance) IC card. The card can then be used to file income tax online, which should be done this month.

Eddie, are you still working on tech eva in some capacity?
Flags: needinfo?(elin)
Also, unlike bug 1139756, the site can be accessed with Chrome without any warning UI.
etsai can help with outreach here, but would you be able to provide what the recommended fix for the site should be, Tim?
Flags: needinfo?(timdream)
Whiteboard: [needscontact]
(In reply to Mike Taylor [:miketaylr] from comment #3)
> etsai can help with outreach here, but would you be able to provide what the
> recommended fix for the site should be, Tim?

I am not qualified to answer this question that involves proper the SSL/CA security design decisions. Maybe :emk would know?
Flags: needinfo?(timdream)
Flags: needinfo?(elin)
Assignee: nobody → etsai
ni based on comment 4
Flags: needinfo?(VYV03354)
I don't know either. Honestly, I have no idea why the connection fails.
Flags: needinfo?(VYV03354)
I tried to debug this

$ vfyserv cloudicweb.nhi.gov.tw
Connecting to host cloudicweb.nhi.gov.tw (addr 210.69.214.203) on port 443
PROBLEM WITH THE CERT CHAIN:
CERT 1. OU=政府憑證管理中心,O=行政院,C=TW [Certificate Authority]:
  ERROR -8179: Peer's Certificate issuer is not recognized.
    O=Government Root Certification Authority,C=TW
Error in function PR_Write: -8179
 - Peer's Certificate issuer is not recognized.

Does it mean that the CA is not recognized? I see Taiwan GRCA in the database though. Maybe it's using a new CA, like the one in bug 1065896?

OK, so I imported the new root certificate from bug 1065896 and the reported website works again.
See Also: → 1065896
I receive the reply from nhi's outsourcing company, their official answer is what they can do now is sending you a new CA. They're aware of the CA's problem in Firefox browser but I think ball is in our court now.
Thanks, Eric.

According to Aaron and bug 1065896, both Mozilla and Taiwan GRCA are working on resolving this issue. Once the new root are imported into Firefox this should be fixed.
The server needs to include this intermediate certificate https://crt.sh/?id=10926918 in the TLS handshake (if you look at the ssllabs report under "Certification Paths" (click "Click here to expand"), it's #3, which required an extra download to fetch. Chrome does that download. Firefox does not.)
Note the reported website had reverted their certificate to the older version. Firefox users should have no problem connect to it now.

Comment 12

2 years ago
Looks like everything is done here. Can this be closed?

Updated

2 years ago
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.