Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Likely false warning about "Chrome's CT requirements" #77

Open
hannob opened this issue Jan 9, 2024 · 0 comments
Open

Likely false warning about "Chrome's CT requirements" #77

hannob opened this issue Jan 9, 2024 · 0 comments

Comments

@hannob
Copy link

hannob commented Jan 9, 2024

For the host "fancyssl.hboeck.de" I get a note under WWW/TLS:

Server is not compliant with Chrome's CT requirements
Not all TLS connections with this server satisfy Chrome's CT requirements even. This is not necessarily a problem, as CT compliance is only required for certificates issued from May 2018.

It appears to me this is incorrect. The certificate is a standard Let's Encrypt certificate which has SCTs embedded, that should be alright.

I can only guess what triggered this warning, but the host is configured for TLS 1.3 only. Maybe there's some detection of TLS extensions (as CT compliance can both be achieved with a TLS extension or SCTs embedded in certs directly) that is triggered here and causes some logic error.

Furthermore, the last sentence ("This is not necessarily a problem, as CT compliance is only required for certificates issued from May 2018. ") is obsolete, as there are no more valid certificates issued before May 2018. So if there is no CT compliance, there's almost certainly a problem.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hannob