[Systems] CAcert certificate expiring

Bernie Innocenti bernie at codewiz.org
Mon Feb 14 14:42:18 EST 2011


On Mon, 2011-02-14 at 14:30 -0500, Bernie Innocenti wrote: 
> On Mon, 2011-02-14 at 18:50 +0100, Sascha Silbe wrote: 
> > Excerpts from Bernie Innocenti's message of Mon Feb 14 18:10:28 +0100 2011:
> > 
> > > Instead, The StartSSL free certificates with SNI work very well. Let's
> > > keep using those for all our sites, ok?
> > 
> > SNI doesn't work well enough yet to rely on it. E.g. for Browse we need
> > force TLSv1 (i.e. disable SSLv3)
> 
> Uh? TLSv1 is the same of SSL 3.1:
> 
> http://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0_.28SSL_3.1.29

Ah, I just got this in a ticket on rt.gnu.org:


----------8<-----------8<-----------8<-----------8<-----------8<----------
If you want to tweak Apache a little bit, you might also want to disable
SSL3 and the old SSL2 way of performing a handshake (referred to as SSL
2.0+ Upgrade Support). All modern and also old browsers support TLS1.0
so there is no problem with compatibility - additionally all of gnu.org
is available in plaintext for those who do not have a browser that does
not support any encryption at all, so switching off SSL3 will not cause
any trouble and will also prevent the possibility of a downgrade attack.
Additionally, by doing this you gain FIPS-ready status which might be of
interest to US Government agencies in case they wish to perform secure
transactions of any kind with you.

A similar argument goes for cipherstrenghts below 256bit.
----------8<-----------8<-----------8<-----------8<-----------8<----------

Do you agree?

-- 
   // Bernie Innocenti - http://codewiz.org/
 \X/  Sugar Labs       - http://sugarlabs.org/




More information about the Systems mailing list