Hi everyone, On Thu, Apr 17, 2014 at 06:37:19AM +0000, Nikolaus Polak wrote: > Zitat von Kim Alvefur <[email protected]>: > >On 2014-04-16 14:50, Nikolaus Polak wrote: > >>some of the users of 0nl1ne.at noticed me that connections to specific > >>servers are not reliable since a few days (working only in one > >>direction), and because I have no idea where this comes from (contacted > >>already one admin of one of these servers, cluster.sx - he said he did > >>only a openssl upgrade, and I updated the CaCert certificate for > >>0nl1ne.at), I'm writing now to this nice list. > > > >I note that your other hosts has StartCom certificates, so this is > >likely to do with CAcert.org. > > > >Two things: CAcert.org has been removed from the default CAs in Debian¹ > >and Ubuntu² recently, so these might no longer be trusted by some host. > > However there's still Dialback, so this might not be noticed. > > > >Secondly, CAcert.org recently switched to SHA2-512 signatures³, which > >has been criticized⁴ because this there are known compatibility issues. > > And I guess this one was the point, as communication between the > other servers works without problems. I just switched from the > CaCert certificate to a self-signed, no problems now with 0nl1ne.at > s2s communications. > Hoping to be able to switch back soon, I like CaCert more than > self-signed ones.
I hope everyone realizes how much, to no fault of Nikolaus of course, of a joke this is. So now self-signed certs are better then CACert ones. Security to the max. greetings, Mati -- I only read plain text mail! I prefer pgp|gpg signed & encrypted mails!
signature.asc
Description: Digital signature
