Opera 12.17 no longer works with https for me
-
Deleted User last edited by
Opera 12 has really strange problems with some websites and TLS.
I have recognized:
- Some websites hosted on Cloudflare servers
- some websites hosted elsewhere but have Cloudflare SSL certificates
- some websites have only modern cryptografic ciphers
- Some websites Opera has stranges OCSP problems
So i have to use Firefox or new Opera.
-
stng last edited by
@mxxxw
Can you provide an URL that causes the problem with SSL? What is your Opera's version - x86 or x64?Some are hosted by Cloudfire, but not all. Yes, it's the Error 40 I get. But sadly , replacing the existing cert files did not help.
Hmmm. The new root certificates did helped me! At least, an web-site that uses certificate issued by Cloudfire works now. With old Opera's certs it didn't worked ( "connection failed", "fatal error (40)" ).
But works now: https://archlinux.org.ru/
Cert:
Holder: ssl2000.cloudflare.com, CloudFlare, Inc.
Issuer: GlobalSign Organization Validation CA - G2, GlobalSign nv-sa
Expires: 12.10.2015 10:08:00 GMT
Encryption protocol TLS v1.0 128 bit AES (2048 bit RSA/SHA)p.s. Tested in Opera 12.17 x64 (Win7 x64)
-
stng last edited by
Tested in Ubuntu 13.04 / Opera 12.14 x86. Works too for me (with replaced root certs)!
-
rseiler last edited by
No effect here (eztv.it, dabr.eu, archlinux.org.ru, etc).
@stng, where did those files come from and what gave you the idea that they would work? Why do they seemingly work for some people? And since the files are updated every single time you run Opera, even if they did work, what good are they?
-
Deleted User last edited by
Try to import chr... Opera's root certs to the Opera 12.
Download archive: https://app.box.com/s/5p00vediw04ds7xkxwgg
Close Opera
Extract archive to your Opera's profile folder (don't forget to backup all *.dat files before any manipulations). Replace(rewrite) original *.dat files with files from zip-archive.You should explain where to get the other/missing certificates and how to import, to get it work.
Replacing opera certs files from a unknwon dropbox is not very secure!
I would never trust such download!!! -
rseiler last edited by
Or better, what he changed in which cert to make a difference.
Upon disabling TLS 1.1/1.2, I found that with the above files I can get to archlinux.org.ru but not the other two sites I mentioned (and probably many more sites), so it's not a full solution. We may be close to a solution with more information from stng.
-
stng last edited by
where did those files come from and what gave you the idea that they would work? Why do they seemingly work for some people? And since the files are updated every single time you run Opera, even if they did work, what good are they?
I found this solution on the Operafan(net) forum. Opera certs were extracted from the Opera-Next-12.00-1027 snapshot build. I just re-uploaded archive in a more common ZIP-format (the original attachment was in 7zip).
It fixes archlinux.org.ru (that definitely uses problem Cloudflare certificate). But doesn't help to fix other web-sites mentioned here.So what we really need to know, why it's helps with archlinux.org.ru (with cert issued by Cloudflare!), but not with others mentioned here??? Maybe we should try to use another certs?
-
stng last edited by
eztv.it, dabr.eu, archlinux.org.ru, etc
Opera 11.64 (Windows) works fairly well with these sites! But 11.64 asks to accept a Cloudflare certificate. For unknown reasons Opera 12.00 build 2.00-1312 (and later versions) don't asks for certificate and blocks access immediately...
-
stng last edited by
Sorry, my error here. Opera 12.00 build 2.00-1312 - is more likely THE LATEST build that could accept a Cloudflare certificate (i am not sure, because i didn't checked all later builds).
-
rseiler last edited by
OK, so with that we're very close now, I think. Looking at 11.64, when you visit any of the above sites you're presented with one or two certificate error dialogs that allow you to approve and remember the given certificate.
The reason for all this seems to simply be a certificate name mismatch, which Opera (correctly) deems suspicious. For example, instead of the certificate matching the site's name, it's something like "ssl2000.cloudflare.com."
The question is: Why doesn't Opera 12 present the same dialog? Is there an option to enable that feature? If so, problem solved.
The next-best thing would be to export the "approved" certs from 11.64 and import them into 12, but Opera balks at that upon import in 12.17, even when exported from 12.00-1312 (arc.opera.com/snapshot/windows)
This seems to me a much simpler problem to solve than what we thought previously, that Opera was missing some important security feature like ECDSA. That never made sense to me when Cloudflare's own support page resolutely claims that Opera 8(!!!) and higher are compatible with Universal SSL.
-
stng last edited by
In my Opera 12.14, I tried to put(replace) opssl6.dat and optrust.dat files that i get from the 12.00-1312 after approving Cloudflare's certificates from a few problem web-sites. It's works, but for a very short time :(. Then Opera 12.14 removes these "extraneous" and weak certificates automatically from its memory and from the opssl6.dat file :(. Opera stops to recognize these certs.
The only working solution i've found - using a kproxy (free web-service) that helps to open a problem sites with a Cloudflare-issued certs in Opera 12. I wrote a special keyboard shortcut and macros that allows to do it as quickly as it possible in the address bar and in the main browser window.
1.How it works:
-
When i typing an URL in the address bar (for an example dabr.eu, that have Cloudflare-issued certificate), i press Alt+Enter shortcut. Then this site opens through the KPROXY, bypassing problems with SSL.
-
When i press Alt+F1 (outside the address bar, elsewhere in browser), Opera loads the current URL through the KPROXY. This can be used for a new, unknown web-sites with a "weak" Cloudflare cert.
2.How to set this up:
-
Go to web-site www.KPROXY.com
-
Click with right mouse button on the search filed, choose "Create Search..."
-
Set the keyword as KP, press OK
-
Go to Preferences - Advanced - Shortcuts - Keyboard setup - Edit
-
In the "Advanced" -> "Address dropdown widget" section create the new keyboard shortcut ("New..")
a)Set the value in the first column: Enter alt
b)Set the value in the second column: Go to line start & Insert,"kp " & Go
-
In the "Application" section create the new keyboard shortcut ("New..")
-
a)Set the value in the first column: F1 alt
b)Set the value in the second column: Go to page, "kp %u"
-
"Ok" - "Ok"
-
-
rseiler last edited by
One weird thing about moving the couple cert files over (I think opuntrust and optrust are the two main ones for this) is that the sites DO show up in Manage Certficates/Approved, but that isn't enough to make them work (you're at least getting it to work for a short time). There's obviously some other cubbyhole in Opera where the permission for the given site is stored, and we're somehow missing it.
Anyway, nice idea about the proxy. I'll try it.
Meantime, I'm thinking of opening another thread asking about Opera 12.17 not presenting a permission dialog when a site's certificate doesn't match the domain like Opera 11.x and early test builds of 12 did. This seems to be something they later decided against showing, but it would be nice to know if that's the case and whether there's an obscure option to re-enable it.
-
blackbird71 last edited by
There may be a clue to what's involved in the transitory cert-approval behavior in this Opera statement (from http://www.opera.com/docs/ca/ ) :
"Newer versions of Opera (14 and higher) use the root store provided by the operating system and the list of EV-enabled roots maintained by Google. Older versions of Opera (versions 9.5 through 12) use Opera's online root store. Until fall 2013, the online solution was built on Opera's root store program, but after that it is based on NSS by Mozilla.
To get certificates to be accepted by Opera, roots should be part of the above-mentioned root store programs."
Consequently, it's conceivable that no matter what a user does to fiddle with the cert files, Opera goes online to check the online store and negates whatever has been altered, or at least part of what's been altered.
-
rseiler last edited by
Yet that check doesn't affect browsers where those permissions originated, such as 11.64 and 12 alpha. How can that be? Maybe some sort of signature within the approved certificate in Opera that ties it to that particular installation of Opera?
-
blackbird71 last edited by
It's also possible that the coding within Opera was altered around the onset of version 12 in those areas that handle the online certs and handshaking, so that it might work differently in some way(s) from older versions - intentionally or otherwise. If it was intentional, it might or might not be apparent from knowledgeable, detailed examination of change logs; if it wasn't intentional (or was an overlooked byproduct of some other issue-focused logged change), there would be no visible record.
-
A Former User last edited by
Now add thepiratebay.se to the list.
I really hope this was meant to be tongue-in-cheek!
-
iamjohngalt last edited by
That's right, thepiratebay.se no longer works with Opera 12.17, 1863.
Secure connection: fatal error (40) from server. -
stng last edited by
That's right, thepiratebay.se no longer works with Opera 12.17, 1863. Secure connection: fatal error (40) from server.
It has problematic Cloudflare's SSL cert.
We need a working opera.dll patch. It's probably possible to prevent the blocking of a cloudflare's certs by Opera 12.x.
-
ppnsteve last edited by
So If I'm reading all this right there isn't a fix yet?
BTW I'm not able to connect to a site using a EV cert from GeoTrust, not a Cloudflare one here.Does anyone else have any ideas or a workaround to bypass the error page?