On 13.11.2015 14:32, Alex 'CAVE' Cernat wrote: > Pentru uz personal sau teste recomand wosign, preferabil cu oscp stapling. > Rapid, efficient
Până de dimineață i-aș fi recomandat și io, dar azi (vineri, 13!) au început utilizatorii Firefox să strâmbe din nas la validarea OCSP a unui certificat WoSign. Și nu pentru că n-ar răspunde serverul lor OCSP… Chiar și-au trecut serverele OCSP pe Akamai cei de la WoSign și răspund repede în ultima vreme. Dar au dat-o în bară cu un certificat expirat pentru WoSign Free SSL OCSP Responder(G2). Detalii din outputul comenzii SSL în atașament. Noi mai mult pentru uz intern l-am folosit, dar o să renunțăm la WoSign după bâlba de azi. Pentru uz personal merge mai degrabă StartSSL. Pentru teste într-o firmă (deci uz comercial) mai degrabă aș încerca Let's Encrypt.
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = CN, O = WoSign CA Limited, CN = WoSign Free SSL OCSP
Responder(G2)
Produced At: Nov 13 14:52:32 2015 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: A06661F16CBCC23E98BC71914830B85AAA8D0A6B
Issuer Key Hash: D2A716207CAFD9959EEB430A19F2E0B9740EA8C7
Serial Number: 2666A2273E6C672D7CE5BFECA2244151
Cert Status: good
This Update: Nov 13 14:52:32 2015 GMT
Next Update: Nov 15 14:52:32 2015 GMT
Signature Algorithm: sha1WithRSAEncryption
43:76:3f:46:cd:7d:8d:ff:3e:d2:65:d0:aa:5f:ee:67:9b:27:
42:fc:e3:87:27:08:84:35:ea:2e:76:9b:45:1e:6b:40:c6:aa:
f6:a3:9b:47:63:4e:82:06:6b:50:43:59:d8:61:aa:f3:5f:8c:
25:a4:a5:80:14:82:e4:1c:76:a9:46:da:c3:24:04:f5:da:1b:
4c:3e:ce:32:04:20:f0:52:f6:03:25:65:37:11:72:c1:e9:90:
59:cf:01:23:83:92:a9:f9:ec:39:21:ee:e0:a2:7a:2d:37:9a:
03:7c:61:f8:f9:ea:45:9f:ca:1e:4e:0c:5a:f2:25:3c:52:ea:
8d:e3:79:22:e7:14:ec:fa:ee:e1:cb:96:7f:0b:36:5b:a4:d6:
61:80:ee:af:45:c4:b7:11:a2:73:90:a0:04:3c:c1:89:5f:80:
c0:7e:cc:54:19:db:6a:f6:72:bb:ba:7d:06:a5:bb:03:8e:a2:
9f:b2:77:29:2f:86:30:0b:66:6f:e3:6c:3a:37:09:b0:a6:f5:
de:8e:99:6f:51:6b:95:71:d7:d9:a1:d0:ab:81:b0:e2:57:b4:
a3:7d:7f:e0:70:15:62:2b:a8:4b:81:86:e9:93:86:1b:2f:dc:
14:6a:fd:26:0c:1d:86:e4:7e:ff:21:ed:6e:c5:64:d9:2d:97:
dc:5f:03:45
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
33:d3:06:de:06:d4:a4:07:1f:33:ce:3e:0f:e0:83:cf
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, O=WoSign CA Limited, CN=WoSign CA Free SSL Certificate G2
Validity
Not Before: Nov 13 08:05:01 2014 GMT
Not After : Nov 13 08:05:01 2015 GMT
Subject: C=CN, O=WoSign CA Limited, CN=WoSign Free SSL OCSP
Responder(G2)
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c8:e1:bb:28:f9:b7:3b:95:13:3f:ac:c8:3e:a8:
80:b1:cf:c2:1d:72:1c:d9:5a:9f:20:ef:68:2a:e3:
04:c1:5a:a2:8d:32:bd:0a:5f:1f:05:94:ea:a6:71:
4e:ce:f1:87:1b:76:cf:bb:13:aa:63:0b:56:ee:a8:
7a:34:0f:df:5b:55:3a:85:ce:be:69:c9:0f:82:8e:
24:53:0f:ec:32:94:5c:57:cf:c3:0b:a4:56:8e:70:
4a:69:b1:1c:b3:77:d8:cc:aa:42:4e:bb:ed:37:e8:
c7:8d:f7:0b:de:e0:cf:c0:4b:8a:08:5d:42:32:1e:
4b:c8:bf:bc:2a:88:16:ec:50:bc:fa:b2:7d:60:6d:
76:eb:81:2a:5b:fe:62:93:b5:3e:a2:5e:c8:c4:a3:
92:fb:2d:d6:81:ed:a4:5c:3c:90:fc:a5:d9:1c:04:
4c:05:4f:ff:a2:7e:f7:34:fd:97:52:e5:1b:c2:6f:
fc:69:0a:a8:c7:bf:6a:d7:0b:9a:1d:be:45:6c:ed:
8f:35:56:42:5b:b7:51:4e:39:d5:b2:de:e6:87:08:
36:3d:84:cd:6c:88:43:61:3c:cf:c3:c7:c7:7b:0c:
09:9b:eb:c1:30:be:7a:38:02:b7:73:95:e1:12:09:
f8:2f:b6:4d:e0:2c:fa:e6:73:63:41:01:12:1e:8b:
cd:8b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
OCSP Signing, OCSP No Check
X509v3 Basic Constraints: critical
CA:FALSE
OCSP No Check:
X509v3 Subject Key Identifier:
74:FD:91:CB:94:E8:7F:C9:1E:AF:2E:EF:0B:14:D4:A1:D3:3A:79:CB
X509v3 Authority Key Identifier:
keyid:D2:A7:16:20:7C:AF:D9:95:9E:EB:43:0A:19:F2:E0:B9:74:0E:A8:C7
Signature Algorithm: sha256WithRSAEncryption
23:40:29:38:75:76:95:85:61:d7:64:c8:54:9c:23:9a:99:2f:
00:f8:4e:0d:77:3e:31:7d:24:3c:c8:49:12:b9:65:68:2d:d3:
b2:94:18:83:11:51:c0:a2:4b:64:7a:71:f1:66:fe:d1:6b:0a:
8e:60:67:09:86:40:0b:82:59:07:c1:3c:5e:ee:59:1e:3a:01:
e9:fd:b1:43:0c:6c:51:6a:3c:bd:1c:57:53:27:e9:53:2d:05:
29:fa:16:4e:a4:01:61:4e:60:ab:32:0a:f1:5c:e0:f6:35:f6:
ee:ae:ad:43:48:29:bb:f0:fb:63:6a:c6:75:ce:e8:38:cc:13:
99:8b:c1:3f:68:05:35:64:b3:b1:d3:57:89:5b:fa:0f:ab:08:
b9:2e:01:ca:65:58:a8:e9:bb:f7:3e:ed:bb:46:9d:5d:6f:47:
a1:c7:21:2b:6d:40:1c:4e:e3:0a:f7:f5:95:ad:37:d7:7a:7a:
16:72:0d:b9:f9:ec:24:0c:f9:f8:c0:34:51:15:c6:e1:61:3c:
e0:cb:4a:0d:c9:f2:9d:db:0a:fe:11:b8:ab:03:32:fb:7c:16:
f0:ec:5c:c6:06:80:f1:56:07:75:ce:1a:61:04:19:e8:a9:54:
e3:39:de:36:8c:f3:37:48:ad:79:0a:e8:22:97:51:46:4c:1b:
5c:e3:1a:70
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQM9MG3gbUpAcfM84+D+CDzzANBgkqhkiG9w0BAQsFADBV
MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxKjAoBgNV
BAMTIVdvU2lnbiBDQSBGcmVlIFNTTCBDZXJ0aWZpY2F0ZSBHMjAeFw0xNDExMTMw
ODA1MDFaFw0xNTExMTMwODA1MDFaMFYxCzAJBgNVBAYTAkNOMRowGAYDVQQKExFX
b1NpZ24gQ0EgTGltaXRlZDErMCkGA1UEAxMiV29TaWduIEZyZWUgU1NMIE9DU1Ag
UmVzcG9uZGVyKEcyKTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMjh
uyj5tzuVEz+syD6ogLHPwh1yHNlanyDvaCrjBMFaoo0yvQpfHwWU6qZxTs7xhxt2
z7sTqmMLVu6oejQP31tVOoXOvmnJD4KOJFMP7DKUXFfPwwukVo5wSmmxHLN32Myq
Qk677Tfox433C97gz8BLighdQjIeS8i/vCqIFuxQvPqyfWBtduuBKlv+YpO1PqJe
yMSjkvst1oHtpFw8kPyl2RwETAVP/6J+9zT9l1LlG8Jv/GkKqMe/atcLmh2+RWzt
jzVWQlu3UU451bLe5ocINj2EzWyIQ2E8z8PHx3sMCZvrwTC+ejgCt3OV4RIJ+C+2
TeAs+uZzY0EBEh6LzYsCAwEAAaOBjzCBjDALBgNVHQ8EBAMCA6gwHgYDVR0lBBcw
FQYIKwYBBQUHAwkGCSsGAQUFBzABBTAMBgNVHRMBAf8EAjAAMA8GCSsGAQUFBzAB
BQQCBQAwHQYDVR0OBBYEFHT9kcuU6H/JHq8u7wsU1KHTOnnLMB8GA1UdIwQYMBaA
FNKnFiB8r9mVnutDChny4Ll0DqjHMA0GCSqGSIb3DQEBCwUAA4IBAQAjQCk4dXaV
hWHXZMhUnCOamS8A+E4Ndz4xfSQ8yEkSuWVoLdOylBiDEVHAoktkenHxZv7RawqO
YGcJhkALglkHwTxe7lkeOgHp/bFDDGxRajy9HFdTJ+lTLQUp+hZOpAFhTmCrMgrx
XOD2Nfburq1DSCm78PtjasZ1zug4zBOZi8E/aAU1ZLOx01eJW/oPqwi5LgHKZVio
6bv3Pu27Rp1db0ehxyErbUAcTuMK9/WVrTfXenoWcg25+ewkDPn4wDRRFcbhYTzg
y0oNyfKd2wr+EbirAzL7fBbw7FzGBoDxVgd1zhphBBnoqVTjOd42jPM3SK15Cugi
l1FGTBtc4xpw
-----END CERTIFICATE-----
======================================
signature.asc
Description: OpenPGP digital signature
_______________________________________________ RLUG mailing list RLUG@lists.lug.ro http://lists.lug.ro/mailman/listinfo/rlug
