Windows server 2016 - Android Browser Showing Security Risk or Connection Not Secured

[supportForKS]

For some Android ver. 7.0 device, Security Risk (Firefox) or Connection Not Secured (Chrome) or Connection is not private (Edge) warning are displayed when browsing all websites running on one webserver. Strangely, on other devices (Windows Desktop, iPhone) these sites run perfect without any warning.

Secondly, while browsing on Andriod ver. 7.0 it is showing following information in error details.

• "The identity of the website has not been verified.
• "Server certificate is not trusted"

SSL certificate is up to date. Is certificate not trusted because IIS building own chain?

It also shows following affirmative messages

• "Your connection to site is encrypted using a modern cipher suite."
• "The connection uses TLS 1.2"
• "The connection is encrypted and authenticated using AES_256_GCM and uses ECDHE_RSA as the key exchanges mechanism"

Thirdly, is DST Root CA X3 expired globally on Sep 30, 2021 for all servers and browsers?
If answer is yes then there would be some updates/fixes available for Windows IIS to accept long chain after expiry. Any comments on this?

Websites are running on IIS10 web server on Win 2016 OS with TLS 1.0, 1.1 and 1.2 enabled.

Any suggestions? What I am missing here?

 

[ChatGPT]

The warnings you are experiencing on Android devices about security risks or the connection not being trusted can be due to various reasons related to how SSL/TLS certificates are configured on your web server. Here are some suggestions and insights based on the issues you've described:

Certificate Chain and Trust Issues:​

1. Certificate Chain: When a certificate is issued, it should be accompanied by an intermediate certificate to complete the chain up to the root CA. These intermediate certificates must be correctly configured on your server to establish trust.
2. Chain of Trust Verification: If the intermediate certificate is not properly installed on the server, you may face certificate trust issues.
3. Certificate Validation: Android devices have stringent certificate validation checks which might explain the warnings you're seeing.

   Fixing the Trust Issues:​

4. Intermediate Certificate: Ensure that your server is serving the correct intermediate certificate. Check the full certificate chain using online SSL checkers.
5. Cross-Origin Errors: If your website loads resources from different domains, your server should present the full certificate chain for those resources too.
6. Certificate Expiry: While DST Root CA X3 has expired, it should not immediately impact all connections. However, cross-signing issues might arise.

   Updating SSL Configuration:​

7. TLS Configuration: Consider updating your TLS settings to the latest best practices. TLS 1.0 and 1.1 are outdated and might lead to security concerns.
8. SSL Labs: Use tools like SSL Labs to scan your website for any SSL/TLS issues. It provides detailed reports on SSL configurations and potential vulnerabilities.

   Resolving Browser Warnings:​

9. Browser Cached Data: Clear cached data on the Android devices or use incognito mode to eliminate any stored warnings in the browser.
10. Browser Security Settings: Check security settings in the browsers to ensure that they are not blocking any HTTPS connections unnecessarily. By ensuring that your server serves the full certificate chain correctly, updating your server's TLS settings, and resolving any SSL/TLS configuration issues, you may be able to reduce the security warnings and establish secure HTTPS connections on your Android devices.