On Sunday, September 13, 2015 at 3:15:22 PM UTC-4, Jeffrey Walton wrote:
>
> Hi Everyone,
>
> When we went shopping for low cost/no cost certificates for the web
> server, I thought CAcert (https://www.cacert.org/) would meet our needs.
> The needs are modest:
>
> (1) no domain names or DNS names in the CN
> (2) multiple DNS names in the SAN
> (3) "correct" KU and EKU uses
> (4) low cost/no cost.
>
> I was sadly mistaken because CAcert is using a long term CA certificate
> certified with MD5 (see below). I missed that when I was evaluating them,
> and I apologize for the massive gap. (We could overlook other faux pas on
> the issued end entity certificate, like KU of Key Agreement and the Server
> Gated Cryptography bits).
>
> We're going to temporarily disable SSL on the web server.
>
> They web server's key is still good, and it will be used in the future as
> part of a key continuity program.
>
> If you installed the CAcert CA in a trust store, then you should promptly
> remove it.
>
If you try to connect using TLS, you should get an error similar to the
following because there's a 443 listener, but its *not* serving over
SSL/TLS:
Secure Connection Failed
An error occurred during a connection to www.cryptopp.com. SSL
received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
The "ssl_error_rx_record_too_long" is because a SSL/TLS client is trying to
interpret HTTP data (literally, the HTTP) as SSL/TLS protocol data.
Jeff
--
--
You received this message because you are subscribed to the "Crypto++ Users"
Google Group.
To unsubscribe, send an email to [email protected].
More information about Crypto++ and this group is available at
http://www.cryptopp.com.
---
You received this message because you are subscribed to the Google Groups
"Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
