[Systems] CAcert certificate expiring

Sascha Silbe sascha-ml-reply-to-2011-2 at silbe.org
Mon Feb 14 12:50:16 EST 2011


Excerpts from Bernie Innocenti's message of Mon Feb 14 18:10:28 +0100 2011:

> Instead, The StartSSL free certificates with SNI work very well. Let's
> keep using those for all our sites, ok?

SNI doesn't work well enough yet to rely on it. E.g. for Browse we need
force TLSv1 (i.e. disable SSLv3) or it won't use SNI (Iceweasel, which
in theory is based on the same backend code, handles this fine). But if
we disable SSLv3, some browsers (e.g. Epiphany [1]) stop working at all.
And some browsers (Epiphany again [2]) still don't support SNI.

SSL/TLS is still a large nest of bugs and incompatibilities. :(

Sascha

[1] https://bugzilla.gnome.org/show_bug.cgi?id=581342
[2] https://bugzilla.gnome.org/show_bug.cgi?id=641080
-- 
http://sascha.silbe.org/
http://www.infra-silbe.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 494 bytes
Desc: not available
URL: <http://lists.sugarlabs.org/private/systems/attachments/20110214/c864c45c/attachment.pgp>


More information about the Systems mailing list