Categories
DuxTel Systems (11)
Interface Cards and Adapters (14)
Mikrotik Systems-> (157)
Mimosa Wireless (5)
RouterBOARD (11)
Router Enclosures (11)
Power Supplies & PoE-> (29)
Antennas and Accessories-> (106)
Mikrotik RouterOS (6)
Assembled Kits (6)
Carrier Wireless (1)
Cable and Misc (14)
Hardware and Mounting (23)
Configuration Library (FREE!) (7)
Quick Find
  
search products
search articles
Articles
New Articles
Case Studies
Product Guides (2)
Mikrotik Configuration (17)
Technical (5)
Community News (9)
Q&A (28)
Product Advisory (7)
Policy and Information (7)
Information
Shipping & Returns
Privacy Notice
Conditions of Use
Contact Us
Why do I see certificate warnings on hotspot logins? by Mike Everest

Q: We recently decided to install SSL certificates on all of our hotspot routers.


We had great success with the exception of an error coming from firefox.
 

I’m sorry that the answer is not short ;-)

What you are seeing is failure of the certificate validation.  Keep in mind that https is a three party process: client, server and certificate authority.  When a client makes an initial request to the ssl server, the server replies (as part of the https setup handshake process) with the certificate public encryption key.  Embedded in the key is the details of the certificate issuer (certificate ‘signer’) – the client then checks with that certificate issuer to make sure that the public key provided by the server matches what the signer says is the correct key for that domain/hostname.  This is how we can be confident that when we visit some http service that it is NOT some third party intercepting our requests and masquerading as that third party. 

The problem when doing this behind a captive portal is that the captive portal will usually block access to the certificate authority validation server and/or the revocation server.  Therefore, the client is not able to ‘validate’ the certificate.  The client/enduser can usually ignore the warning and continue with the request and maintain an encrypted session, but doing so also requires that they must risk the possibility that the remote web site is not who it claims to be.

OK, so you probably already know that, and since you seem to have got to the stage that your ssl login page works OK, you may have already added the OVA/CRL servers for your certificate issuer into the captive portal.  If you have NOT done that, then the only reason that you do not see the warning on those other browsers is that you have already cached the web server certificate (for secure.myport.com.au) in the maxOS certificate cache – careful! Other customers who have not previously accessed your web site may still see the certificate warning when accessing the captive portal unless you add the CRL/OVA servers to the walled garden list)

So to answer your question, the reason that you see the waring when you use firefox and not with the other browser is because it is not access to YOUR web site that is spawning the error, but in fact access to the google service that is causing the problem:

  

It is possible that the error is because the client is not able to validate the google certificate (unless you have walled garden exceptions for the google certificate signer services) but there is another factor at play here too that is also likely to cause a problem.

Consider what happens when you try to access an ssl web site from inside a captive portal.  What about when your default home page is a http location (e.g. https://my.google.com) ?  If you connect to the wifi, then open your web browser, it will issue a web request to https://my.google.com – BUT your captive portal will intercept that request, and reply ‘on behalf’ of my.google.com with a 302 redirect to the hotspot login page.  But that initial request is https protocol, and the only way that the hotspot can issue a reply is to go through the whole ssl setup process, INCLUDING proposal of the public key.  However, the public key will NEVER match what the certificate authority says is the correct key for my.google.com (unless you ask google to kindly give you their private key so that your hotspot can decrypt encoded requests! ;-) and so that kind of request will ALWAYS throw a certificate warning message.

Since the firefox browser has a home page that is hosted locally;

  

  there is no need for any ssl – but that form submits to https://www.google.com/?..etc.. and there lies your certificate problem.

Unfortunately, there is NOTHING that you can do to prevent this from occurring (other than what I hqave suggested above – which, arguably, will also never happen! ;-)

Hope it all makes sense!

Further questions are welcome!

 

 

 

 

Date Added:
Current Comments: 0
Write Review
Tell a friend
Tell a friend about this article:  
Shopping Cart
more
0 items
Latest News
about 5 days ago
LOOK! The new wsAP-lite is a dual band WiFi AP with passthrough PoE ethernet that fits into a power point profile!
more >>
about 5 days ago
The new LtAP-mini is the ideal mobile and vehicle connectivity system with GPS - add your own 4G modem for the ulti…
more >>
about 5 days ago
The cool new RBLHGG-60adkit Wireless Wire Dish Kit is on its way - available for pre-order right now!
more >>
about 5 days ago
DuxTel News: Half-price Mimosa, MikroTik LTE updates, MUM 2018 Highlights -
more >>
about 01 month ago
CCR1072-1G-8S+ - it doesn't get any better than this! Normally $4325, special price $2999 - (ex demo model, 1 unit…
more >>
about 01 month ago
ready for MikroTik Certified Training - kicking off TOMORROW! :)
more >>
about 01 month ago
MikroTik's first ever true 802.3af/at PoE switch with auto-detecting 24v/48v and 4x 10GB SFP+ uplink is available n…
more >>
about 01 month ago
Thinking about horns? See here! :)
more >>
about 01 month ago
The QuickMount-PRO includes support for the new SQT-Sq products has just arrived!
more >>
Follow our tweets for all the latest news and updates!
twitter.com/duxtel
Reviews
more
RBCA450G: RB450G kit with indoor case - assembled
The RB450G is the swiss army knife of routers. The amount of ..
5 of 5 Stars!

Copyright © 2018 DuxTel Online Store