top | item 35003291

(no title)

28mm | 3 years ago

I am not sure about that. On my system that openssl invocation fails because the site doesn't staple the intermediate Letsencrypt R3 certificate, and openssl doesn't retrieve it while browsers do.

If their system is old enough perhaps they have a version of the ISRG X1 certificate that is cross-signed by the expired DST X3 certificate. Some ssl imlementations did poorly with this. https://letsencrypt.org/docs/dst-root-ca-x3-expiration-septe...

discuss

jborean93|3 years ago

That could be it for yourself but I have a newer OpenSSL version (3.0.8) and the error does state the following

> 006E552F8D7F0000:error:0A000172:SSL routines:tls12_check_peer_sigalg:wrong signature type:ssl/t1_lib.c:1592:

The error from Firefox is SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM which seems to align to what I'm seeing on the signature algorithm returned. Lastly by setting my system wide policy to allow the LEGACY (Fedora's term) algorithms the website starts to work on Firefox.

It could very well be that the server is at fault here (based on what I've read this seems to be the case) and that's due to the Let's Encrypt cross signed certificate. But the reason it's failing to load on the client side is because some clients block SHA1 based signing algorithms and that's what the server is offering here.