[Gpg4win-users-en] Commonly accepted SSL/TLS certificate for gpg4win websites

Michael Carbone michael at accessnow.org
Thu Oct 15 18:19:23 CEST 2015

Thomas Arendsen Hein:
> Hi!
> There has been some discussion about SSL/TLS certificate that are
> automatically accepted by usual web browsers on this list (and
> elsewhere).
> TL;DR: We want to switch to a commercial SSL certificate for
> the gpg4win web and download services soon. Mailing list and forum
> will not yet be changed.
> = The current situation =
> The current certificate is provided by our own CA, which is not
> known by most browers unless the root certificate is imported from
> https://ssl.intevation.de/
> * Why don't we just buy a certificate?
>   We currently have to do this, because the certificate includes
>   over 40 SAN entries (including a wildcard entry) in a single
>   certificate: wald.intevation.org, *.wald.intevation.org and many
>   entries for the projects hosted on Wald.
>   I'm not aware of any commercial CA that offers such certificates,
>   I have only found CAs which offer 24 SAN entries, and then they
>   don't allow wildcard entries.
> * Why don't we simply use more IPs?
>   IPv4 IPs are a scarce resource, we don't want to waste them. But
>   we tried adding some extra IPs to our Wald server to have separate
>   SSL certificates for the most important services:
>   - *.wald.intevation.org and wald.intevation.org
>   - the 4 gpg4win hostnames currently hosted on Wald (gpg4win.org,
>     gpg4win.de and both prefixed with "www.")
>   - everything else (using a certificate signed by our own CA, like
>     the current one)
>   The main problem here was the templating mechanism of FusionForge
>   for the web server configuration files for Wald. Some early
>   attempts to adjust this failed, and because or admin capacities
>   were needed in other projects, we did not continue with this
>   approach. It certainly is possible, but might be too
>   time-consuming. If adjusting Wald fails, we could use a
>   workaround: A simple proxy or TCP forwarder in front of Wald, but
>   at that time, Wald was under heavy load and we did not want to add
>   extra overhead for a workaround. Since then we upgraded to more
>   powerful hardware, so this might be possibility for the future.
> * Why don't we simply use SNI to present different certificates?
>   1. Same reasons as above: We need to adjust the FusionForge
>      templating or add a proxy/forwarder as a workaround.
>   2. SNI has only very recently become supported by most browsers
>      and there is still some software that does not support SNI:
>      - Internet Explorer on Windows XP (should not be relevant
>        anymore, but unfortunately it is)
>      - older wget (as included in the still supported Debian wheezy)
>      - Python before 2.7.9 (again Debian wheezy)
>      - Mercurial before version 3.3 (Debian jessie has 3.1.2)
>      - Java 6 (even at the current patch level)
>      - Not sure if Android 2.x still counts, but I mention it for
>        completeness
>   I want to use SNI in the future, but I assume this still has to
>   wait a bit for getting Windows XP with IE usage below 1% and
>   maybe even Debian jessie becoming oldstable.
> = The proposed next step for gpg4win =
> My plan is to buy a certificate with the following SAN entries:
>   www.gpg4win.org (main address)
>   www.gpg4win.de
>   gpg4win.org
>   gpg4win.de
>   files.gpg4win.org
>   files.gpg4win.de
> With a lifetime of three years, this will cost us 640€ for a
> certificate from GeoTrust (see below for why we use GeoTrust).
> The certificate will be installed on the server that currently hosts
> files.gpg4win.org, so downloads from there will immediately become
> trusted without importing Intevation's CA.
> I will upgrade the server so it can offer TLS1.2, like Wald already
> does.
> As the content of www.gpg4win.org is generated into static files,
> moving the gpg4win website to this server is easy. Updating the
> website can be done by the same people who can publish new releases,
> but others can be added if needed, too.
> If there are no objections, I can start with this.
> = Future steps =
> The mailing lists are currently hosted on Wald. As most mails sent
> to and received from the list are transferred via unprotected SMTP
> connections, having SSL would be nice (especially for the Mailman
> web interface), but is less important than website and downloads.
> A possible solution could be to move the mailing lists to
> lists.gnupg.org, which already provides a certificate signed by a CA
> known to modern browsers.
> But this would not solve secure access to the web forums on Wald and
> most solutions for the forums would also provide a solution for the
> mailing list.
> I assume the most appropriate solution would be to buy a wildcard
> certificate for Wald, which would cost 1380€ for three years for the
> certificate and the additional required IPv4 IP, and solve or
> work around the FusionForge templating mechanism.
> = Comments on alternative CAs =
> Yes, there are cheaper CAs than GeoTrust, but it has some benefits
> that others can't offer us:
> - It is a well-known CA that is accepted by all relevant browsers
>   and other https clients.
> - A German reseller that sends us a single invoice for all
>   certificates we have bought, so our accounting does not run into
>   issues or has to pay a separate invoice for each certificate.
>   Despite having our own CA, we have bought many certificates for
>   customers and some of our other servers.
> - Because of this it can't happen that our credit card gets charged
>   beyond the monthly limit and will leave our CEO stranded somewhere :)
> - If things go wrong, we can call a real human!
> - We can buy certificates for domains or subdomains, that we do not
>   own. This applies to the gpg4win domains, too. GeoTrust will
>   contact the owner and ask for permission.
> - It is not Comodo, see e.g.
>   https://en.wikipedia.org/wiki/Comodo_Group#Certificate_hacking
>   so it is less likely that your sysadmin has marked it as
>   untrusted.
> - It is still cheaper than some other CAs which offer a similar
>   level of quality.
> Whew! That was long. Thanks for reading (or skimming). Feel free to
> contact me via this list (I subscribed some weeks ago) if you have
> questions or comments.
> Regards,
> Thomas Arendsen Hein
Hi Thomas,

This is great news! Thanks for updating the community on these important
steps, looking forward to the website and downloads having this new cert.


Michael Carbone
Manager of Security Education
Digital Security Helpline
Access | https://www.accessnow.org

GPG fingerprint: 2DBE 2014 E7B0 0730 303D 7AAB 99AB 0624 6EEB F5A8

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20151015/80279169/attachment.sig>

More information about the Gpg4win-users-en mailing list