[Systems] CAcert certificate expiring

Bernie Innocenti bernie at codewiz.org
Mon Feb 14 14:30:29 EST 2011

Previous message: [Systems] CAcert certificate expiring
Next message: [Systems] CAcert certificate expiring
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2011-02-14 at 18:50 +0100, Sascha Silbe wrote: 
> Excerpts from Bernie Innocenti's message of Mon Feb 14 18:10:28 +0100 2011:
> 
> > Instead, The StartSSL free certificates with SNI work very well. Let's
> > keep using those for all our sites, ok?
> 
> SNI doesn't work well enough yet to rely on it. E.g. for Browse we need
> force TLSv1 (i.e. disable SSLv3)

Uh? TLSv1 is the same of SSL 3.1:

http://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0_.28SSL_3.1.29

> or it won't use SNI (Iceweasel, which
> in theory is based on the same backend code, handles this fine). But if
> we disable SSLv3, some browsers (e.g. Epiphany [1]) stop working at all.
> And some browsers (Epiphany again [2]) still don't support SNI.

These are a minority of browsers. They don't stop working, they just
tell you that the certificate is invalid, like the majority of browsers
would do for CAcert.

> SSL/TLS is still a large nest of bugs and incompatibilities. :(

Yes, I'm trying to find the combination of bugs that hits fewer users,
while not financing the CA racket. I'd say that StartSSL + SNI is our
best options now and will get even better in the future, while CAcert is
a bad choice now and is likely to get *worse* in the future.

-- 
   // Bernie Innocenti - http://codewiz.org/
 \X/  Sugar Labs       - http://sugarlabs.org/

Previous message: [Systems] CAcert certificate expiring
Next message: [Systems] CAcert certificate expiring
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Systems mailing list