Hello Nikolaus, On 2014-04-16 14:50, Nikolaus Polak wrote: > some of the users of 0nl1ne.at noticed me that connections to specific > servers are not reliable since a few days (working only in one > direction), and because I have no idea where this comes from (contacted > already one admin of one of these servers, cluster.sx - he said he did > only a openssl upgrade, and I updated the CaCert certificate for > 0nl1ne.at), I'm writing now to this nice list. > > (snip) > > Any ideas?
I note that your other hosts has StartCom certificates, so this is likely to do with CAcert.org. Two things: CAcert.org has been removed from the default CAs in Debian¹ and Ubuntu² recently, so these might no longer be trusted by some host. However there's still Dialback, so this might not be noticed. Secondly, CAcert.org recently switched to SHA2-512 signatures³, which has been criticized⁴ because this there are known compatibility issues. ¹ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434 ² http://changelogs.ubuntu.com/changelogs/pool/main/c/ca-certificates/ca-certificates_20130906ubuntu2/changelog ³ http://blog.cacert.org/2014/01/cacert-with-new-signature-algorithm/ ⁴ http://bridge.grumpy-troll.org/2014/03/cacert/ -- Kim "Zash" Alvefur
signature.asc
Description: OpenPGP digital signature
