MobileRead Forums - View Single Post

chaley · 04-03-2014, 01:58 AM

The "error decrypting" messages come from inside CC. It stores passwords encrypted using some bits and pieces of the site. It can't successfully encrypt the password until it connects. You can ignore these messages.

The important message is that last one. It is saying that the networking code is unable to verify the certificate. CC uses strict verification, which means that the cert chain must be available and that the host name in the URL must exactly match the host name in the cert.

It sounds as if you have checked using the identical URL from chrome on the device, which is confusing. If it works, then either the cert chain is available or the intermediate certificates are stored in chrome's cert store (which would be unusual). It also might imply that either chrome is not doing hostname verification or that an exception was allowed at some point in the past. Not doing hostname verification creates a *huge* security hole so I would be surprised if it does it, but I don't really know either way.

Do verify that the certificate chain is available in your server. I also use a Comodo (positiveSSL) cert, and to make mine work I had to give apache a "bundle" of certs that form the chain from mine to the root cert. There are three certs in that bundle, none of which are my site cert. They are, in the order they appear:

AddTrustExternalCARoot.crt
PositiveSSLCA2.crt
UTN-USERFirst-Hardware.crt

I don't remember exactly why I had to add the last one (a root cert), but IIRC it didn't work universally until I did.

Have you done something similar with IIS? Looking at the link https://www.onestepssl.com/install_iis5_ssl.php it seems that similar steps are required.

There is another possibility that is hard to check: CC currently is built with Apache's HttpClient 4.2.1, which is out of date. The latest available is 4.3.1. The possibility is that some bugs were fixes in the later releases. I consider this improbable, but not impossible. In any event, during the next prerelease cycle I will update the library. Of course, that doesn't help you now.

04-03-2014, 01:58 AM	#6
chaley Grand Sorcerer Posts: 12,465 Karma: 8025600 Join Date: Jan 2010 Location: Notts, England Device: Kobo Libra 2	The "error decrypting" messages come from inside CC. It stores passwords encrypted using some bits and pieces of the site. It can't successfully encrypt the password until it connects. You can ignore these messages. The important message is that last one. It is saying that the networking code is unable to verify the certificate. CC uses strict verification, which means that the cert chain must be available and that the host name in the URL must exactly match the host name in the cert. It sounds as if you have checked using the identical URL from chrome on the device, which is confusing. If it works, then either the cert chain is available or the intermediate certificates are stored in chrome's cert store (which would be unusual). It also might imply that either chrome is not doing hostname verification or that an exception was allowed at some point in the past. Not doing hostname verification creates a huge security hole so I would be surprised if it does it, but I don't really know either way. Do verify that the certificate chain is available in your server. I also use a Comodo (positiveSSL) cert, and to make mine work I had to give apache a "bundle" of certs that form the chain from mine to the root cert. There are three certs in that bundle, none of which are my site cert. They are, in the order they appear: AddTrustExternalCARoot.crt PositiveSSLCA2.crt UTN-USERFirst-Hardware.crt I don't remember exactly why I had to add the last one (a root cert), but IIRC it didn't work universally until I did. Have you done something similar with IIS? Looking at the link https://www.onestepssl.com/install_iis5_ssl.php it seems that similar steps are required. There is another possibility that is hard to check: CC currently is built with Apache's HttpClient 4.2.1, which is out of date. The latest available is 4.3.1. The possibility is that some bugs were fixes in the later releases. I consider this improbable, but not impossible. In any event, during the next prerelease cycle I will update the library. Of course, that doesn't help you now.