subject:"\[asterisk\-dev\] NET\:\:ERR_CERT_SYMANTEC_LEGACY\: Re\-issue your RapidSSL certificate\!"

Re: [asterisk-dev] NET::ERR_CERT_SYMANTEC_LEGACY: Re-issue your RapidSSL certificate!

2018-08-06 Thread Joshua Colp

On Sun, Aug 5, 2018, at 3:39 PM, Dan Jenkins wrote:
> Ha! Already informed them on Friday via other means. I'm told there is now
> an IT ticket open

Indeed, I have brought it up with them and it is on their side to get new ones 
issued and deployed. I don't have a time frame on when they will be doing it, 
though.

-- 
Joshua Colp
Digium, Inc. | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - US
Check us out at: www.digium.com & www.asterisk.org

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev

Re: [asterisk-dev] NET::ERR_CERT_SYMANTEC_LEGACY: Re-issue your RapidSSL certificate!

2018-08-05 Thread Dan Jenkins

Ha! Already informed them on Friday via other means. I'm told there is now
an IT ticket open

On Sun, 5 Aug 2018, 11:18 Alexander Traud,  wrote:

> All asterisk.org (sub-) domains are secured by a SSL/TLS certificate from
> RapidSSL which chains up to the trust anchor "GeoTrust Global CA". That
> trust anchor belonged to Symantec. Since Chrome 70, Google removes all
> trust in former Symantec trust anchors. When you re-issue your certificate,
> the new owner DigiCert is going to give you a certificate chain to a new
> and still trusted anchor, for free: <
> http://products.geotrust.com/orders/orderinformation/authentication.do>
>
> Reasoning:
>
> Google Chrome 70 entered the Developer channel (aka "unstable") <
> http://www.chromium.org/getting-involved/dev-channel> on Friday <
> http://chromereleases.googleblog.com/2018/08/dev-channel-update-for-desktop_3.html>
> and therefore is available to Linux users now. Because Asterisk is very
> much developer centric, I expect that several Asterisk users and developers
> are using Google Chrome in that channel. Therefore and because the re-issue
> is free and because you could have gone for it since December already,
> please, re-issue as soon as possible.
>
> Technical Notes:
>
> Enter CSR: If you enter the CSR used by our original order, you do not
> have to change the private key on your server. Only the public certificates
> must be changed.
>
> Hashing Algorithm = SHA-1 root: Your chain is going to resolve to
> "DigiCert Global Root CA". Therefore, I recommend to add the intermediate
> certificate to "Baltimore CyberTrust Root" <
> http://ssl-tools.net/subjects/8051060132ad9ac27d5187a0e887fb01620155ee>.
> This gives broader compatibility, even with legacy SSL/TLS clients, at no
> additional costs.
>
> Hashing Algorithm = SHA-256 root: Your chain is going to resolve to
> "DigiCert Global Root G2". Therefore, consider to add the intermediate to
> "VeriSign Class 3 Public Primary Certification Authority - G5" <
> http://ssl-tools.net/subjects/39d28b71fe1d19b65fb3f1288f23bc04595c4395>
> and "VeriSign Class 3 Public Primary Certification Authority - G3" <
> https://crt.sh/?caid=443> and "VeriSign Class 3 Public Primary
> Certification Authority" (G1) <
> http://ssl-tools.net/subjects/7a838e245f34e61aaa343e930d5a325a60c56d6c>.
> Although those three anchors are not trusted either, up-to-date SSL/TLS
> clients stop at the first trusted anchor in the chain and do not see those
> older ones. This gives the broadest compatibility with legacy platforms.
> However :
> "[DigiCert is] strongly advising subscribers not to use [this particular]
> cross-sign and, if used, remove [this] cross-sign prior to September 2018
> as [DigiCert is] not sure how the distrust will impact [this] cross-sign."
> Therefore, I went for the Hashing Algorithm "SHA-1 root" on all my
> installations.
>
>
>
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-dev
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev

[asterisk-dev] NET::ERR_CERT_SYMANTEC_LEGACY: Re-issue your RapidSSL certificate!

2018-08-05 Thread Alexander Traud

All asterisk.org (sub-) domains are secured by a SSL/TLS certificate from 
RapidSSL which chains up to the trust anchor "GeoTrust Global CA". That trust 
anchor belonged to Symantec. Since Chrome 70, Google removes all trust in 
former Symantec trust anchors. When you re-issue your certificate, the new 
owner DigiCert is going to give you a certificate chain to a new and still 
trusted anchor, for free: 


Reasoning:

Google Chrome 70 entered the Developer channel (aka "unstable") 
 on Friday 

 and therefore is available to Linux users now. Because Asterisk is very much 
developer centric, I expect that several Asterisk users and developers are 
using Google Chrome in that channel. Therefore and because the re-issue is free 
and because you could have gone for it since December already, please, re-issue 
as soon as possible.

Technical Notes:

Enter CSR: If you enter the CSR used by our original order, you do not have to 
change the private key on your server. Only the public certificates must be 
changed.

Hashing Algorithm = SHA-1 root: Your chain is going to resolve to "DigiCert 
Global Root CA". Therefore, I recommend to add the intermediate certificate to 
"Baltimore CyberTrust Root" 
. This 
gives broader compatibility, even with legacy SSL/TLS clients, at no additional 
costs.

Hashing Algorithm = SHA-256 root: Your chain is going to resolve to "DigiCert 
Global Root G2". Therefore, consider to add the intermediate to "VeriSign Class 
3 Public Primary Certification Authority - G5" 
 and 
"VeriSign Class 3 Public Primary Certification Authority - G3" 
 and "VeriSign Class 3 Public Primary Certification 
Authority" (G1) 
. 
Although those three anchors are not trusted either, up-to-date SSL/TLS clients 
stop at the first trusted anchor in the chain and do not see those older ones. 
This gives the broadest compatibility with legacy platforms. However 
: "[DigiCert is] 
strongly advising subscribers not to use [this particular] cross-sign and, if 
used, remove [this] cross-sign prior to September 2018 as [DigiCert is] not 
sure how the distrust will impact [this] cross-sign." Therefore, I went for the 
Hashing Algorithm "SHA-1 root" on all my installations.




-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev

Re: [asterisk-dev] NET::ERR_CERT_SYMANTEC_LEGACY: Re-issue your RapidSSL certificate!

Re: [asterisk-dev] NET::ERR_CERT_SYMANTEC_LEGACY: Re-issue your RapidSSL certificate!

[asterisk-dev] NET::ERR_CERT_SYMANTEC_LEGACY: Re-issue your RapidSSL certificate!

3 matches

Site Navigation

Mail list logo

Footer information