We have a wildcard SSL certificate for our domains. If I setup the Secure Canvas URL, we get the dreaded empty response error. My understanding is that this is because Facebook has a problem with our SSL cert.
Is there any recommendations on how to figure out what is wrong with our SSL certificate?
I read this blog post: http://developers.facebook.com/blog/post/567/
I ran the test on the site they recommended, it looks pretty good to me. Could that Beast mode warning be causing this problem? Here are the results I get back:
Certificate Information Common names *.mydomain.com Alternative names *.mydomain.com mydomain.com Prefix handling Not required for subdomains Valid from Tue Jul 19 00:00:00 UTC 2011 Valid until Wed Jul 18 23:59:59 UTC 2012 (expires in 8 months and 18 days) Key RSA / 2048 bits Signature algorithm SHA1withRSA Server Gated Cryptography Netscape Step-Up, Microsoft Server Gated Cryptography Weak key (Debian) No Issuer EssentialSSL CA Next Issuer COMODO Certification Authority TRUSTED Chain length (size) 2 (2581 bytes) Chain issues None Validation type Domain-validated (DV) Revocation information CRL, OCSP Revocation status Good (not revoked) Trusted Yes
Protocols TLS 1.2 No TLS 1.1 No TLS 1.0 Yes SSL 3.0 Yes SSL 2.0+ upgrade support Yes SSL 2.0 Yes N (*) N next to protocol version means the protocol has no cipher suites enabled
Cipher Suites (sorted by strength; server has no preference) TLS_RSA_WITH_RC4_128_MD5 (0x4) 128 TLS_RSA_WITH_RC4_128_SHA (0x5) 128 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g: 1, Ys: 128) 128 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) 168 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits (p: 128, g: 1, Ys: 128) 256
Miscellaneous Test date Thu Nov 03 19:37:27 UTC 2011 Test duration 55.590 seconds Server signature Apache Server hostname dev.mydomain.com Session resumption Yes BEAST attack Vulnerable INSECURE (more info) Secure Renegotiation Supported, with client-initiated renegotiation disabled Insecure Renegotiation Not supported Strict Transport Security No TLS version tolerance 0x0304: 0x301; 0x0399: 0x301; 0x0499: fail PCI compliant No FIPS-ready No Ephemeral DH 1024 bits (p: 128, g: 1, Ys: 128)