[Gpg4win-users-en] Commonly accepted SSL/TLS certificate for gpg4win websites

Thomas Arendsen Hein thomas at intevation.de
Fri Oct 16 17:04:15 CEST 2015

* Daniel Kahn Gillmor <dkg at fifthhorseman.net> [20151015 18:15]:
> On Thu 2015-10-15 10:04:58 -0400, Thomas Arendsen Hein wrote:
> >   The main problem here was the templating mechanism of FusionForge
> >   for the web server configuration files for Wald. Some early
> >   attempts to adjust this failed, 
> Have you asked the fusionforge developers for help with this?  I expect
> that they would prioritize a support request from a project as important
> as gpg4win.

While this sounds like the correct approach, I don't know if the
gpg4win project or Intevation are considered that important for the
FusionForge developers, but maybe we should just ask :)

But even if they help us, it will still require time on our side to
provide them with a good list of requirements and feedback for their
development. We hired someone to do exactly this some time ago, but
unfortunately he left the company.

> I just wanted to discuss one particular option that might make things
> cheaper and quicker for you:
> > * Why don't we simply use SNI to present different certificates?
>  [...snip fusionforge discussion, covered above...]
> >   2. SNI has only very recently become supported by most browsers
> >      and there is still some software that does not support SNI:
> >      - Internet Explorer on Windows XP (should not be relevant
> >        anymore, but unfortunately it is)
> >      - older wget (as included in the still supported Debian wheezy)
> >      - Python before 2.7.9 (again Debian wheezy)
> >      - Mercurial before version 3.3 (Debian jessie has 3.1.2)
> >      - Java 6 (even at the current patch level)
> >      - Not sure if Android 2.x still counts, but I mention it for
> >        completeness
> >
> >   I want to use SNI in the future, but I assume this still has to
> >   wait a bit for getting Windows XP with IE usage below 1% and
> >   maybe even Debian jessie becoming oldstable.
> Up to the present day, none of the hosted web sites worked by default
> with any of the clients listed above, because of the certificates issued
> by a non-cartel root.

"non-cartel root" is a nice word for the current situation :)

On the other hand, all these clients work perfectly after importing
our root certificate from https://ssl.intevation.de/, and that is
something we are reluctant to lose.

> So if SNI ends up being a cheaper/quicker/easier path

Not really cheaper, the price of the extra IPs is just a small part
of the equation, about 1€ per IP per Month.

> PS for the enumerated non-SNI clients in certain versons of debian, I
>    would be happy to support and push for a targeted patch to enable
>    them to use SNI in a point release.  If you know of such a patch
>    (either in a debian bug report or elsewhere), please point me to it.

That would be nice for everyone, but usually this is not available
in small patches, but require larger modifications/backports or new
upstream releases.


thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20151016/ceddb3fd/attachment.sig>

More information about the Gpg4win-users-en mailing list