On 18 July 2017 at 02:12, Gerion Entrup <gerion.entrup.ff...@flump.de> wrote: > Am Dienstag, 18. Juli 2017, 01:52:53 CEST schrieb Reimar Döffinger: >> On 18.07.2017, at 00:59, James Almer <jamr...@gmail.com> wrote: >> >> > On 7/17/2017 7:49 PM, Moritz Barsnick wrote: >> >> On Mon, Jul 10, 2017 at 13:53:02 +0300, Boris Pek wrote: >> >>> Latest news about this topic: >> >>> https://groups.google.com/a/chromium.org/forum/#!topic/net-dev/FKXe-76GO8Y >> >> >> >> Ah, thanks, I neglected to report this, because I thought it was an >> >> issue with my Opera Developer (48), which uses the Chrome engine. Opera >> >> (like Chrome) recently reports ffmpeg.org's certificate as revoked, but >> >> I found no tool which could verify this... >> > >> > The cert is by StartCom. Afaik everyone blacklisted certs issued by them >> > after a certain date, and now some, like Google, are also blacklisting >> > certs issued before that date as well. >> > Mozilla hasn't done the latter yet, so Firefox doesn't complain about >> > it, but i guess a new cert is overdue. >> >> New certs are already being generated, but nobody had the time to do the >> transition, there is a risk of the automation failing >> (I think the web server needs to be made to reload the certificate, which is >> problematic as an ordinary user and there is no way I'd ever run any of that >> letsencrypt stuff as root), > This seems to work as cronjob: > ``` > #!/bin/sh > > su -c "certbot renew 2>/dev/null | grep 'No renewals' >/dev/null" letsencrypt > -s /bin/bash > if [ $? -eq 1 ]; then > service nginx reload > fi > ``` > > Gerion > >> it is also a step backwards as the letsencrypt one is a domain-only >> certificate, and due to TLS's idiotic design decisions it's not possible to >> just deliver both certificates... >> Thus the current situation. >> Lack of time for proper testing being the biggest issue though... > >
Whether the next one is a letsencrypt cert or some other, the StartCom are getting deprecated fast: https://security.googleblog.com/2017/07/final-removal-of-trust-in-wosign-and.html _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
