SSL Error with internal company server

Gamma

Steps to reproduce:
I am connecting with Orion to an internal server (Jira) that uses a self-signed certificate to support TLS. The connection fails with the error visibile in the attached image

Expected behavior:
The browser should let me connect. In previous builds I was able to bypass the problem using compatibility mode and relaxing the certificate check, but now this is not working anymore. The problem is annoying as I cannot use Orion as default browser anymore.

Orion, OS version; hardware type:
0.99.116-beta (WebKit 614.1.20)
MacBook Pro (16-inch, 2019)
macOS Monterey 12.3.1 (21E258)

Image/Video:

Vlad

Gamma Need steps to reproduce with a public server.

BomberFish

Perhaps the "Automatic HTTPS Upgrade" setting is related.

nielsk

I have in the latest built the same problem suddenly.

In the Websites-settings the validation of the servers is set to ignore.
I try to set something up in the public internet.

nielsk

It is harder than expected because apparently I need specific tls-keys. I just checked the difference between my public site and the servers where it is not working and the servers where it is not working I see in Firefox 256bit-keys and for the working one 128bit keys.

nielsk

I have something set up that shows in Firefox 256 bit keys but it works in Orion. The only difference I see now that my test-page uses apache and the other ones use something like nginx or the "pveproxy worker" from proxmox.

That would mean that I need to spin up an extra test vm for this. This might take some time.

nielsk

Is there any other way to get debug information for you guys?

With curl I get this:

* Host $FQDN:8006 was resolved.
* IPv6: (none)
* IPv4: $IP
*   Trying $IP:8006...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: OU=PVE Cluster Node; O=Proxmox Virtual Environment; CN=$FQDN
*  start date: Aug 10 03:45:25 2023 GMT
*  expire date: Aug  9 03:45:25 2025 GMT
*  issuer: CN=Proxmox Virtual Environment; OU=21a8709b-5a31-4b7a-8bc4-063604cbc734; O=PVE Cluster Manager CA
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to $FQDN ($IP) port 8006
* using HTTP/1.x
> GET / HTTP/1.1
> Host: $FQDN:8006
> User-Agent: curl/8.12.1
> Accept: */*
>
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
< Cache-Control: max-age=0
< Connection: Keep-Alive
< Date: Tue, 18 Mar 2025 05:27:32 GMT
< Pragma: no-cache
< Server: pve-api-daemon/3.0
< Content-Length: 2165
< Content-Type: text/html; charset=utf-8
< Expires: Tue, 18 Mar 2025 05:27:32 GMT
<

nielsk

It works in Orion RC though

aosterhage

Is there no ability to trust a server's certificate? This happens on any server with a self-signed certificate that is not already in the bundled CA list.

Selecting "Ignore" under "SSL Certificate Check" does not resolve the issue.

And to be clear, the connection is still intended to be HTTPS based (my server actually requires this). So disabling "Automatic HTTPS Upgrade" and navigating to "http://" will not work.

This is pretty common when working with development environments and other internal networks; certificates may not be issued by an already trusted CA. I still need the ability to connect to the server.