[Gpg4win-users-en] Commonly accepted SSL/TLS certificate for gpg4win websites

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Oct 15 18:14:41 CEST 2015 

Hi Thomas--

On Thu 2015-10-15 10:04:58 -0400, Thomas Arendsen Hein wrote:
> TL;DR: We want to switch to a commercial SSL certificate for
> the gpg4win web and download services soon. Mailing list and forum
> will not yet be changed.

Thank you for working on this.  It is much appreciated.

Your details about the decisions you've made are helpful in
understanding the situation as well.

>   The main problem here was the templating mechanism of FusionForge
>   for the web server configuration files for Wald. Some early
>   attempts to adjust this failed, 

Have you asked the fusionforge developers for help with this?  I expect
that they would prioritize a support request from a project as important
as gpg4win.


I just wanted to discuss one particular option that might make things
cheaper and quicker for you:

> * Why don't we simply use SNI to present different certificates?
 [...snip fusionforge discussion, covered above...]
>   2. SNI has only very recently become supported by most browsers
>      and there is still some software that does not support SNI:
>      - Internet Explorer on Windows XP (should not be relevant
>        anymore, but unfortunately it is)
>      - older wget (as included in the still supported Debian wheezy)
>      - Python before 2.7.9 (again Debian wheezy)
>      - Mercurial before version 3.3 (Debian jessie has 3.1.2)
>      - Java 6 (even at the current patch level)
>      - Not sure if Android 2.x still counts, but I mention it for
>        completeness
>
>   I want to use SNI in the future, but I assume this still has to
>   wait a bit for getting Windows XP with IE usage below 1% and
>   maybe even Debian jessie becoming oldstable.

Up to the present day, none of the hosted web sites worked by default
with any of the clients listed above, because of the certificates issued
by a non-cartel root.

So if SNI ends up being a cheaper/quicker/easier path to support the
overwhelming majority of TLS clients (meaning: not the non-SNI ones
itemized above), that would still be a large and substantial win, even
though these marginal clients might continue to fail.

If the current site-move + geotrust-cert plan seems overwhelming in
terms of cost or administrator time, but you think you can roll out SNI
more rapidly and with less expense, i think you should keep that option
on the table.

Again, many thanks for moving this project forward.

Regards,

     --dkg

PS for the enumerated non-SNI clients in certain versons of debian, I
   would be happy to support and push for a targeted patch to enable
   them to use SNI in a point release.  If you know of such a patch
   (either in a debian bug report or elsewhere), please point me to it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20151015/d505ceb5/attachment.sig>

More information about the Gpg4win-users-en mailing list