[Systems] CAcert certificate expiring

Sascha Silbe sascha-ml-reply-to-2011-2 at silbe.org
Mon Feb 14 15:26:42 EST 2011

Excerpts from Bernie Innocenti's message of Mon Feb 14 20:30:29 +0100 2011:

> Uh? TLSv1 is the same of SSL 3.1:

But not the same as SSL 3.0, which is what "SSLv3" refers to in practice:

> http://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0_.28SSL_3.1.29

>> TLS 1.0 (SSL 3.1)

>> TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade to
>> SSL Version 3.0. As stated in the RFC, "the differences between this
>> protocol and SSL 3.0 are not dramatic, but they are significant enough
>> that TLS 1.0 and SSL 3.0 do not interoperate." TLS 1.0 does include a
>> means by which a TLS implementation can downgrade the connection to SSL 3.0.

> > or it won't use SNI (Iceweasel, which
> > in theory is based on the same backend code, handles this fine). But if
> > we disable SSLv3, some browsers (e.g. Epiphany [1]) stop working at all.
> > And some browsers (Epiphany again [2]) still don't support SNI.

> These are a minority of browsers. They don't stop working, they just
> tell you that the certificate is invalid, like the majority of browsers
> would do for CAcert.

I guess you're talking about browsers that don't support SNI now, not
about the ones that break without SSLv3. Yes, they would just show a
certificate warning (though a different, potentially more scary one).
The difference to the current situation is that they will always show
a warning, instead of only if the CAcert root certificate has not been
installed. If you don't use the CAcert wildcard certificate as fallback
for the non-SNI case, you now either cause Browse to show a scary
certificate warning (it didn't before because we ship the CAcert root
cert in Browse) or prevent Epiphany from connecting (because for Browse
to use SNI you need to disable SSLv3).

What's the reason not to renew the CAcert wildcard cert and continue
using it as a fallback for the non-SNI case? It wouldn't affect anything
but the cases you don't care about anyway.

> > SSL/TLS is still a large nest of bugs and incompatibilities. :(
> Yes, I'm trying to find the combination of bugs that hits fewer users,
> while not financing the CA racket. I'd say that StartSSL + SNI is our
> best options now and will get even better in the future, while CAcert is
> a bad choice now and is likely to get *worse* in the future.

CAcert is a no-cost service, so you wouldn't be "financing the CA
racket" (which I wouldn't like to do either). In what way exactly that
would make it a bad idea to use their certificates at all do you think
CAcert is getting worse in the future? Remember that the alternative is
to have no working certificate at all for the non-SNI case, not to use
a certificate from a different CA.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 494 bytes
Desc: not available
URL: <http://lists.sugarlabs.org/private/systems/attachments/20110214/4db80388/attachment.pgp>

More information about the Systems mailing list