[Gpg4win-users-en] Commonly accepted SSL/TLS certificate for gpg4win websites
Thomas Arendsen Hein
thomas at intevation.de
Fri Oct 16 17:04:15 CEST 2015
* Daniel Kahn Gillmor <dkg at fifthhorseman.net> [20151015 18:15]:
> On Thu 2015-10-15 10:04:58 -0400, Thomas Arendsen Hein wrote:
> > The main problem here was the templating mechanism of FusionForge
> > for the web server configuration files for Wald. Some early
> > attempts to adjust this failed,
>
> Have you asked the fusionforge developers for help with this? I expect
> that they would prioritize a support request from a project as important
> as gpg4win.
While this sounds like the correct approach, I don't know if the
gpg4win project or Intevation are considered that important for the
FusionForge developers, but maybe we should just ask :)
But even if they help us, it will still require time on our side to
provide them with a good list of requirements and feedback for their
development. We hired someone to do exactly this some time ago, but
unfortunately he left the company.
> I just wanted to discuss one particular option that might make things
> cheaper and quicker for you:
>
> > * Why don't we simply use SNI to present different certificates?
> [...snip fusionforge discussion, covered above...]
> > 2. SNI has only very recently become supported by most browsers
> > and there is still some software that does not support SNI:
> > - Internet Explorer on Windows XP (should not be relevant
> > anymore, but unfortunately it is)
> > - older wget (as included in the still supported Debian wheezy)
> > - Python before 2.7.9 (again Debian wheezy)
> > - Mercurial before version 3.3 (Debian jessie has 3.1.2)
> > - Java 6 (even at the current patch level)
> > - Not sure if Android 2.x still counts, but I mention it for
> > completeness
> >
> > I want to use SNI in the future, but I assume this still has to
> > wait a bit for getting Windows XP with IE usage below 1% and
> > maybe even Debian jessie becoming oldstable.
>
> Up to the present day, none of the hosted web sites worked by default
> with any of the clients listed above, because of the certificates issued
> by a non-cartel root.
"non-cartel root" is a nice word for the current situation :)
On the other hand, all these clients work perfectly after importing
our root certificate from https://ssl.intevation.de/, and that is
something we are reluctant to lose.
> So if SNI ends up being a cheaper/quicker/easier path
Not really cheaper, the price of the extra IPs is just a small part
of the equation, about 1€ per IP per Month.
> PS for the enumerated non-SNI clients in certain versons of debian, I
> would be happy to support and push for a targeted patch to enable
> them to use SNI in a point release. If you know of such a patch
> (either in a debian bug report or elsewhere), please point me to it.
That would be nice for everyone, but usually this is not available
in small patches, but require larger modifications/backports or new
upstream releases.
Regards,
Thomas
--
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20151016/ceddb3fd/attachment.sig>
More information about the Gpg4win-users-en
mailing list