Security certificates - why do I get problems on Logos.com product pages.

Page 2 of 2 (31 items) < Previous 1 2
This post has 30 Replies | 1 Follower

Posts 1881
Donnie Hale | Forum Activity | Replied: Wed, Feb 25 2015 6:20 AM

Do a google search on lrscorp. It's somehow related to Faithlife / Logos, but I'm not sure how.

My suspicion is that your automatically detected proxy settings are forcing your requests through an SNI-ignorant proxy infrastructure. But I would love Faithlife to respond about what / where there's anything from Faithlife / Logos responding with an lrscorp.net certificate.

Donnie

Posts 698
LogosEmployee

Donnie Hale:
For the individual who was seeing the errror accessing vyrso.com but was being returned a verbum.com certificate, which does sound like an SNI issue, wouldn't affirmation of your hypothesis consist of the user accepting the certificate so that he/she navigates to the site and then see if he/she arrives at the verbum web site (rather than vyrso)? I think that would prove that the request was handled by the verbum "web site" or "virtual host" - on whatever web server you're using.

TL;DR:

If a SNI-troubled client negotiates a TLS session using the "wrong" certificate (e.g. a verbum.com cert for requests to vyrso.com), the web server will still serve the expected web content—requests for vyrso.com will still return vyrso.com content even if the verbum.com certificate is used to negotiate the TLS session.

Longer version:

I'm not entirely sure how much technical detail people in this thread want, and I'm hoping to ditch our use of SNI for these sites, but here goes (I'm simplifying a couple of steps; indulge me):

SNI affects the TLS negotiation, but wouldn't affect the HTTP request that is wrapped by that TLS session. When your browser reaches out to the web server to negotiate TLS, it does a DNS lookup of the IP address associated with the name. It then opens a connection to port 443 and initiates the TLS negotiation. If it supports SNI, it will use the host portion of the URL to specify a hostname parameter sent along to help the server determine which certificate should be used for the TLS session. If the client (or any intermediary) does not support SNI, it will simply make the request to the raw IP address and the server will use whichever certificate it is configured to use for that IP address by default. If the default certificate configured for the IP happens to match the host in the client-specified URI, all is well. If the cert does not match, the browser will (typically) warn the user. If the user clicks some sort of "ignore" or "allow" link or button, the TLS negotiation will succeed.

"Inside" this TLS session, the browser will send the HTTP request which will almost certainly include an HTTP Host header. The web server will use the contents of that HTTP request to decide which content to serve. An HTTP request for https://vyrso.com will send an HTTP Host header for vyrso.com even if the TLS session is negotiated using a certificate for a different domain

If anyone is *really* interested in hashing out the details in more depth, my email address fits the format firstname.lastname at faithlife.com. We can save everyone else from the boring details.

Director of Engineering for Enterprise and Operations

Posts 698
LogosEmployee

Donnie Hale:
But I would love Faithlife to respond about what / where there's anything from Faithlife / Logos responding with an lrscorp.net certificate.

lrscorp.net is a domain we have registered

http://whois.icann.org/en/lookup?name=lrscorp.net

Director of Engineering for Enterprise and Operations

Posts 98
Tim Lord | Forum Activity | Replied: Fri, Feb 27 2015 3:59 PM

Cameron, thanks much for looking further into this.  I will take a look at tinkering with some other settings, I think you might be right about what my anti-virus software may be doing.  By the way, I do hope Logos finds a solution, because I cannot imagine the large number of potential customers seeing the same thing I do and avoiding the various Logos web sties because of concern about security risks.  This cannot be good for business revenue.  The only reason I have gone ahead and bypassed the security warnings is because I am a long-time Logos customer and I know that this problem is likely not a valid security threat because I trust Logos and its many vigilant discussion forum customers to keep a good eye out and keep things running right.  Thank you for all your help.

Posts 98
Tim Lord | Forum Activity | Replied: Fri, Feb 27 2015 4:15 PM

Hi, Cameron. I unchecked "Automatically detect settings" and restarted my I.E. web browser and it did NOT resolve the problem, I get the same security warnings.  So, perhaps that leaves me with trying to figure out if I need to change a configuration setting on my security software.  By the way, I am not using any company settings on my web browser, I merely meant to say that for access into my company network I am currently limited to I.E. version 10 for compatibility reasons with company legacy software, and so cannot yet upgrade to version 11.  So, my I.E. 10 settings are pretty much "out-of-the box" Windows 7 default settings.  However, I would be quite surprised if Logos software was incompatible with I.E. version 10 as it is not that old, and there may be many other people in my situation you are one version behind, so there would be no reason to exclude those folks from being Logos customers or potential Logos customers, in my thinking.

Posts 47

In case this helps anyone... I have also been having this problem within the last week. (I am also on an older computer with IE 10.) It seems to be fixed after I checked all three TLS boxes in Internet options under advanced. I assumed they were all checked, but two of them were unchecked.

Sarah Blake LaRose

http://www.night-light.org

 

Lenovo Thinkpad, 8GB RAM, 1.50GB quad core processor, Win 7, Logos 6

 

Posts 98
Tim Lord | Forum Activity | Replied: Sat, Mar 14 2015 8:47 PM

Thank you, Sarah!  This fixed my issue as well.  I only had "TLS 1.0" checked as default.  Once I also checked "TLS 1.1" and "TLS 1.2", the issue was resolved.  I do not know why Logos tech. support is not aware that the default I.E. 10 configuration may not have all of the TLS settings checked, but this should be added to Logos Tech. Support's knowledge base as it will surely help resolve the issue for everyone else who has this problem.  Thanks again for sharing your solution!

Posts 7923
LogosEmployee

Tim Lord:
I do not know why Logos tech. support is not aware that the default I.E. 10 configuration may not have all of the TLS settings checked, but this should be added to Logos Tech. Support's knowledge base as it will surely help resolve the issue for everyone else who has this problem.

I didn't know IE10 didn't support newer TLS versions by default, either. I'll pass this information along. Thanks!

Posts 13218
Forum MVP
Mark Barnes | Forum Activity | Replied: Sun, Mar 15 2015 8:45 AM

Bradley Grainger (Faithlife):
I didn't know IE10 didn't support newer TLS versions by default, either. I'll pass this information along. Thanks!

I reported another SSL error last week that's still not been acknowledged: https://community.logos.com/forums/t/102023.aspx 

Posts 681
Kevin A Lewis | Forum Activity | Replied: Fri, Mar 20 2015 10:40 AM

I am using IE11 - and it interesting I only ever see this problem with Faithlife websites. I have nearly never seen it with anything else. So it almost certainly something you are doing unique.

Regards Kevin

Posts 47

It is because Lrscorp.com holds the certificate that is responsible for all of the Logos domains: logos.com, faithlife.com, biblia.com, etc. This can be a security liability, so your browser will prompt you to accept or reject the certificate if it cannot determine who Lrscorp.com is responsible for.

Sarah Blake LaRose

http://www.night-light.org

 

Lenovo Thinkpad, 8GB RAM, 1.50GB quad core processor, Win 7, Logos 6

 

Page 2 of 2 (31 items) < Previous 1 2 | RSS