Facebook doesn't like our SSL Certificate

2
votes

We have a wildcard SSL certificate for our domains. If I setup the Secure Canvas URL, we get the dreaded empty response error. My understanding is that this is because Facebook has a problem with our SSL cert.

Is there any recommendations on how to figure out what is wrong with our SSL certificate?

I read this blog post: http://developers.facebook.com/blog/post/567/

I ran the test on the site they recommended, it looks pretty good to me. Could that Beast mode warning be causing this problem? Here are the results I get back:

Certificate Information Common names *.mydomain.com Alternative names *.mydomain.com mydomain.com Prefix handling Not required for subdomains Valid from Tue Jul 19 00:00:00 UTC 2011 Valid until Wed Jul 18 23:59:59 UTC 2012 (expires in 8 months and 18 days) Key RSA / 2048 bits Signature algorithm SHA1withRSA Server Gated Cryptography Netscape Step-Up, Microsoft Server Gated Cryptography Weak key (Debian) No Issuer EssentialSSL CA Next Issuer COMODO Certification Authority TRUSTED Chain length (size) 2 (2581 bytes) Chain issues None Validation type Domain-validated (DV) Revocation information CRL, OCSP Revocation status Good (not revoked) Trusted Yes

Protocols TLS 1.2 No TLS 1.1 No TLS 1.0 Yes SSL 3.0 Yes SSL 2.0+ upgrade support Yes SSL 2.0 Yes N (*) N next to protocol version means the protocol has no cipher suites enabled

Cipher Suites (sorted by strength; server has no preference) TLS_RSA_WITH_RC4_128_MD5 (0x4) 128 TLS_RSA_WITH_RC4_128_SHA (0x5) 128 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g: 1, Ys: 128) 128 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) 168 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits (p: 128, g: 1, Ys: 128) 256

Miscellaneous Test date Thu Nov 03 19:37:27 UTC 2011 Test duration 55.590 seconds Server signature Apache Server hostname dev.mydomain.com Session resumption Yes BEAST attack Vulnerable INSECURE (more info) Secure Renegotiation Supported, with client-initiated renegotiation disabled Insecure Renegotiation Not supported Strict Transport Security No TLS version tolerance 0x0304: 0x301; 0x0399: 0x301; 0x0499: fail PCI compliant No FIPS-ready No Ephemeral DH 1024 bits (p: 128, g: 1, Ys: 128)

1
facebooksslcertificate

1 Answers

0
votes

Are you missing the intermediate certificates? Check at http://www.sslshopper.com/ssl-checker.html to see if you have a full chain

Also good is the checker at https://www.ssllabs.com/

If the app is FBML Facebook is very strict about which certificates it will accept when connecting to your site to download the content - if your app uses iFrames it's mostly up to the user's browser settings and you'll get away with less strict checking

The quote from that blog post which seems to have tripped up most FBML apps is:

If you enable SSL for your FBML app, please make sure that your SSL certificate includes all intermediate certificates in the chain of trust as our SSL validation is strict. You can use third-party SSL analysis tools (e.g., https://www.ssllabs.com/index.html) to check your certificate status and fix any errors (and warnings). If your SSL certificate has problems, you may see "Empty response received" error when you load your FBML canvas app.