How to fix Google Chrome SHA1 warnings with StartSSL – StartCom SSL certificates

I recently renewed my SSL certificate for one of my domains. I use the domain specifically so that I can access my Synology Diskstation NAS drive remotely. After updating the certificate in the Diskstation I noticed that the Cloudstation client started reporting errors, namely that “The SSL certificate is untrusted”, and all syncing had paused.

Untrusted SSL warning on the Synology Cloudstation Client Windows 10
Untrusted SSL warning on the Synology Cloudstation Client Windows 10

I checked the certificate using SSL Labs. All was good. The certificate chain appeared to be in order. I also checked in on SHAAAAAAAAAAAAA, and again all was good. I decided to check it in Google Chrome, and oops, a little yellow warning triangle stating that there was a problem with my certificate. The problem it seemed was that one of the certificates in the chain was using SHA1.

Google Chrome SHA1 warning intermediate certificate from StartCom StartSSL
Google Chrome SHA1 warning intermediate certificate from StartCom StartSSL

I double checked SHAAAAAAAAAAAAA and SSL Labs. Both the root and intermediate certificates from StartCom seemed to be using SHA256. What is going on?

I then notice a warning on SHAAAAAAAAAAAAA that said:

If Chrome still says the site uses SHA-1, it’s probably a chain caching bug on your computer.

Interesting, let’s look further. Now I start to get a bit more detail. To cut a long story short, it seems that Windows has a weird bug in its CryptoAPI. It is a bug that has been there for ages, and all certificate authorities should be more than aware of it. As a result, certificate authorities should have re-issued new intermediate SHA256 certificates signed with new private keys, rather than reuse the keys they used previously. It appears the StartCom hasn’t done that, and as a result, we are seeing these weird caching bugs in Windows (as I understand the issue).

So, how do we solve this? First we need to get the correct intermediate certificates. Apparently StartCom had issued new intermediate certificates at some point. This website allows you to download them: https://class1.test.itk98.net/.

Note: I know it seems weird to download a security certificate from some website that is unrelated to StartCom, but if you think about it, the certificate has to be genuine. Please correct me if I’m wrong!

I have a class 1 certificate, so I’ll download the PEM version of that (top of the page on itk98.net). I now go into the Diskstation manager and from the control panel I choose the ‘Security’ option and the ‘Certificate’ tab. From there I can ‘Import’ a new certificate. I choose my private key used to sign the CSR, my certificate I downloaded from StartSSL (.crt) and the newly downloaded intermediate certificate I just downloaded from that ‘dodgy’ sounding itk98.net URL.

screenshot of Synology DSM certificate import modal window
Synology DSM certificate import control panel

After installing, the web server on the diskstation restarts. I now need to clear out the old SHA1 StartCom Intermediate Server certificate from Google Chrome’s certificate cache.

How to clear out the StartCom intermediate certificate from Google Chrome's certificate cache.
How to clear out the StartCom intermediate certificate from Google Chrome’s certificate cache.

After opening a new incognito window in Chrome, I have a nice green SSL marker. Yay!

solved problem with StartCom intermediate certificate
Google Chrome with the SHA256 intermediate certificate from StartCom StartSSL. Problem solved!

Finally back to the Synology Cloudstation Client on Windows 10. I have to click on the little icon (three blue lines and a down arrow) on the far right of the diskstation name. Choose Edit Connection. A modal appears in which you can just re-enter your password and click ‘Done’. You will receive a message that states that the SSL certificate has changed and asks you if you want to trust it. Hell yes….

Once reconnected the Synology client, you’ll notice that the untrusted SSL warning has now gone away and the Synology Cloudstation Client is back syncing again.

Untrusted SSL error screenshot
Synology Cloudstation Client on Windows 10, no more untrusted SSL certificate warnings or errors

And that was my Wednesday evening.

Skype problems with group calls are about to lose me as a customer

I am a heavy Skype user and I use it to keep in contact with my office remotely. I regularly use my Skype-in number, 1-1 Skype and group Skype conference calls. I pay a subscription and frequently top-up my account for VOIP calls.

I am a long time Skype user, first signing up when Skype launched. The quality first started to wane when the P2P supernodes architecture was changed to route everything through the NSA/Microsoft servers in the US.

The quality of Skype group calling has got worse and worse as a result of this architectural change. Over the last month or so, the quality has dropped so that it is unusable for group calls. I don;t know what has changed (my network hasn’t changed as far as I can tell), but the quality is now dire.

As a result I have started to move my entire company to Google Hangouts, which is qualitatively much better than Skype for group calling. The audio is crystal clear. I can share my screen easily and at high quality. Apart from the awful Hangouts user selection tools, Hangouts wins hands down.

I spend a fair amount of money on Skype. My company all currently use Skype as well. Skype need to consider ways in which they can improve group calling quality. The lack of quality is about to drive us all into the hands of their competitors.

Finally a note on privacy. Skype has lost my trust when it came out that Microsoft seems to have bedded down with the NSA, rolled over and gladly taken it up the arse from the NSA. Microsoft (in my opinion) is the corporate equivalent of a whoring rent boy. Google Hangouts probably isn’t any more secure or private, and I accept that. What both companies need to appreciate it is that non-US citizens are now actively seeking European secure alternatives to group chat and VOIP conference calls. We are prepared to pay and European start-ups should realize that this is a great opportunity to enter a market that was previously locked up by large US incumbents, but due to the NSA this market has now become wide open again in the EU market-place.

The first European company that builds a simple client that allows people to text chat and VOIP call easily with a screenshare will get my money. Your requirements are thus:

  • An easy to use VOIP client that uses P2P
  • Simple way to find other users without registering
  • A group text chat feature
  • A screen-share feature

Go get ’em EU start-ups! Skype problems are to your advantage!

What is really painful is when someone has the bean but also has the power to insist YOU carry out the nasal insertion on their behalf.

Beans and Noses » UIE Brain Sparks

A lovely analogy of a client who is determined to stick a bean up their nose. You can’t stop them doing it, but you can charge them extortionate amounts to extract the bean at a later date when they realise that it was an awfully stupid idea.

The quote above was from a comment on this article that made me laugh out loud.