On 27.03.2014 20:44, Ruediger Pluem wrote:
Daniel Kahn Gillmor wrote:
Do we have a robust, free tool that, given a single X.509 EE cert, can do
automagic fetching and trying of all
combinations of these things and produce a reasonable PEM-encoded
SSLCertificateChainFile on stdout?
On Wed, Mar 26, 2014 at 4:56 PM, Dr Stephen Henson
shen...@opensslfoundation.com wrote:
On 26/03/2014 13:38, Emilia Kasper wrote:
On Wed, Mar 26, 2014 at 1:11 PM, Dr Stephen Henson
shen...@opensslfoundation.com mailto:shen...@opensslfoundation.com
wrote:
If the server is
On Wed, Mar 26, 2014 at 5:46 PM, Daniel Kahn Gillmor
d...@fifthhorseman.netwrote:
On 03/26/2014 11:29 AM, Emilia Kasper wrote:
Cross-signing happens all the time but afaik the other way around, i.e.,
an
intermediate Y' corresponding to a _newer_ root cert Y is cross-signed by
some _older_
On 03/27/2014 09:27 AM, Emilia Kasper wrote:
HPKP can never work this way. Pin validation is always done on top of
normal TLS validation and can only invalidate an otherwise valid connection
and never the other way around. Otherwise I could trivially hijack
connections by pinning sites to a
On 27/03/2014 13:01, Emilia Kasper wrote:
On Wed, Mar 26, 2014 at 4:56 PM, Dr Stephen Henson
shen...@opensslfoundation.com mailto:shen...@opensslfoundation.com wrote:
On 26/03/2014 13:38, Emilia Kasper wrote:
On Wed, Mar 26, 2014 at 1:11 PM, Dr Stephen Henson
On 26/03/14 15:29, Emilia Kasper wrote:
Wow, thanks for all the great feedback!
On Wed, Mar 26, 2014 at 2:47 PM, Daniel Kahn Gillmor wrote:
snip
This is a pretty perverse situation, though, and perhaps the answer is
that CA X just shouldn't do that kind of weird/chained reissuance
On 26/03/14 16:46, Daniel Kahn Gillmor wrote:
snip
it doesn't even need to fetch the certificate itself, it could just make
the big noisy error log say you should fetch the cert from AIAURL and
append it to SSLCertificateChainFile
AIAURL is supposed to be DER-encoded rather than
On 03/27/2014 12:37 PM, Rob Stradling wrote:
On 26/03/14 16:46, Daniel Kahn Gillmor wrote:
snip
it doesn't even need to fetch the certificate itself, it could just make
the big noisy error log say you should fetch the cert from AIAURL and
append it to SSLCertificateChainFile
AIAURL is
On 27/03/14 14:04, Daniel Kahn Gillmor wrote:
On 03/27/2014 09:27 AM, Emilia Kasper wrote:
snip
As I said, I have low faith in admin intervention.. According to SSL pulse,
6% of Alexa top 200K sites serve an incomplete chain. You'd think they'd
notice.
I share your skepticism, but to be
Hi Rob!
On Thu, Mar 27, 2014 at 5:29 PM, Rob Stradling rob.stradl...@comodo.comwrote:
On 26/03/14 15:29, Emilia Kasper wrote:
Wow, thanks for all the great feedback!
On Wed, Mar 26, 2014 at 2:47 PM, Daniel Kahn Gillmor wrote:
snip
This is a pretty perverse situation, though, and
Daniel Kahn Gillmor wrote:
On 03/27/2014 12:37 PM, Rob Stradling wrote:
On 26/03/14 16:46, Daniel Kahn Gillmor wrote: snip
it doesn't even need to fetch the certificate itself, it could just make
the big noisy error log say you
should fetch the cert from AIAURL and append it to
On 27/03/14 17:11, Emilia Kasper wrote:
snip
Right. So this particular case could be handled by carefully
constructing the shortest possible chain from all AIA information
available (system store, p7c, crt).
In that particular case, yes, I suppose so. However, our older
AddTrust/UTN roots
On 27/03/14 16:45, Daniel Kahn Gillmor wrote:
snip
Do we have a robust, free tool that, given a single X.509 EE cert, can
do automagic fetching and trying of all combinations of these things and
produce a reasonable PEM-encoded SSLCertificateChainFile on stdout?
If we had such a tool, then the
On 26/03/2014 11:11, Emilia Kasper wrote:
Hi mod_ssl devs,
I have a small patch for mod_ssl that uses new OpenSSL (=1.0.2) methods when
available to automatically rebuild misconfigured certificate chains.
Github pull request: https://github.com/apache/httpd/pull/7
Some of the common
On Wed, Mar 26, 2014 at 1:11 PM, Dr Stephen Henson
shen...@opensslfoundation.com wrote:
On 26/03/2014 11:11, Emilia Kasper wrote:
Hi mod_ssl devs,
I have a small patch for mod_ssl that uses new OpenSSL (=1.0.2) methods
when
available to automatically rebuild misconfigured certificate
On 03/26/2014 07:11 AM, Emilia Kasper wrote:
The patch fixes a) by sanity-checking the chain and chopping self-signed
roots. I believe it's harmless to turn on by default as the rebuild step
will either yield a valid chain or preserve the original configuration.
I like this suggestion. with a
Wow, thanks for all the great feedback!
On Wed, Mar 26, 2014 at 2:47 PM, Daniel Kahn Gillmor
d...@fifthhorseman.netwrote:
On 03/26/2014 07:11 AM, Emilia Kasper wrote:
The patch fixes a) by sanity-checking the chain and chopping self-signed
roots. I believe it's harmless to turn on by
On 26/03/2014 13:38, Emilia Kasper wrote:
On Wed, Mar 26, 2014 at 1:11 PM, Dr Stephen Henson
shen...@opensslfoundation.com mailto:shen...@opensslfoundation.com wrote:
If the server is correctly configured to exclude the root then the chain
build
will fail. The root is needed
On 03/26/2014 11:29 AM, Emilia Kasper wrote:
Cross-signing happens all the time but afaik the other way around, i.e., an
intermediate Y' corresponding to a _newer_ root cert Y is cross-signed by
some _older_ root cert Z. So an old client would usually know only Z and a
newer client would know
19 matches
Mail list logo