[158907] in North American Network Operators' Group
Re: Gmail and SSL
daemon@ATHENA.MIT.EDU (Peter Kristolaitis)
Fri Dec 14 18:03:29 2012
Date: Fri, 14 Dec 2012 18:03:05 -0500
From: Peter Kristolaitis <alter3d@alter3d.ca>
To: "nanog@nanog.org" <nanog@nanog.org>
In-Reply-To: <ED78B1C68B84A14FA706D13A230D7B431A1C6C74@ITS-MAIL01.campus.ad.csulb.edu>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
This is a cryptographically signed message in MIME format.
--------------ms040102070509050008060904
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
I've heard this argument fairly often when I mention free/cheap=20
certificates to colleagues, etc, but no one has ever actually pointed to =
a reasonable case where this is true ("the 20 year old VMS system that=20
I've never patched running OpenSSL 0.0.0.0.1-pre-alpha doesn't work"=20
doesn't count...).
I tested my StartSSL certs against quite a number of clients and haven't =
found anything reasonably modern (say in the last 10 years) that didn't=20
work either out of the box or by updating the root CA list from the OS=20
vendor via the OS' standard patching mechanism
In my experience, free/cheap certs "not working" on some clients is, in=20
99.9% of cases, a misconfiguration error where the server isn't=20
presenting the cert chain properly (usually omitting the intermediate=20
cert), which works on some platforms (often because they include the=20
intermediate certs to work around these kinds of problems) but not on=20
others. Fixing the cert chain that's presented to the client has ALWAYS =
resolved these types of issues in my experience.
If you have specific example that you know breaks with a specific=20
(free/cheap cert, client) pair, I'd love to know so I can test it (if=20
possible, i.e. I can actually get my hands on the client device/software)=
=2E
- Pete
On 12/14/2012 4:45 PM, Matthew Black wrote:
> A major problem with free or low-cost certificates is that their interm=
ediate CA certificate does not always point back to a root certificate in=
client machines and/or software.
>
> matthew black
> california state university, long beach
>
>
>
> -----Original Message-----
> From: Peter Kristolaitis [mailto:alter3d@alter3d.ca]
> Sent: Friday, December 14, 2012 7:53 AM
> To: nanog@nanog.org
> Subject: Re: Gmail and SSL
>
> On 12/14/2012 10:47 AM, Randy wrote:
>> I don't have hundreds of dollars to get my ssl certificates signed
> You can get single-host certificates issued for free from StartSSL, or
> for very cheaply (under $10) from low-cost providers like CheapSSL.com.=
> I've never had a problem having my StartSSL certs verified by anyone.
>
> - Pete
>
>
>
--------------ms040102070509050008060904
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINNzCC
BjQwggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoT
DVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp
Z25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3
MTAyNDIxMDI1NVoXDTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1T
dGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu
aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENs
aWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOM
KqANy9BV7V0igWdGxA8IU77L3aTxErQ+fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi
8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke/s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8M
DP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHksw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y
2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHHtOkzUreG//CsFnB9+uaYSlR65cdG
zTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0wggGpMA8GA1UdEwEB/wQFMAMB
Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd+q9rMfPIHeOsuzAfBgNV
HSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRaMFgwJwYIKwYBBQUH
MAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYhaHR0cDovL3d3
dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20v
c2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93
d3cuc3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqp
Jw3I07QWke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Mic
c/NXcs7kPBRdn6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9Jphw
UPTXwHovjavRnhUQHLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMc
p+reg9901zkyT3fDW/ivJVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT
+HBDYtbuvexNftwNQKD5193A7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1X
hwby6mLhkbaXslkVtwEWT3Van49rKjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvO
hNz/QplNa+VkIsrcp7+8ZhP1l1b2U6MaxIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC
0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqh
AChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H75dVCV33K6FuxZrf09yTz+Vx/PkdRUYk
XmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIG+zCCBeOgAwIBAgICEokwDQYJKoZIhvcNAQEF
BQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJT
ZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBD
bGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0xMTA1MDgxNTEwNTha
Fw0xMzA1MDkyMTA4MzVaMIGSMSAwHgYDVQQNExc0MjE4ODQtNDVqTDRIVGMzTDVuT2FOaTEL
MAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTEbMBkGA1UE
AxMSUGV0ZXIgS3Jpc3RvbGFpdGlzMSEwHwYJKoZIhvcNAQkBFhJhbHRlcjNkQGFsdGVyM2Qu
Y2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsUX+h3P4+teBQ39uYQR5VTP3L
oMRhNrqx6aO/6OucI4JwVyjl91XXtj73S528mDxXIvAfTfK9Iy85famshdnq258xoZb260wQ
ZJ0Ztd01GPEdShmY/KnFjtP+fw1ojYP0q/9BaWKqQKUV2WQVvrJu5sEx/nT/ssKPhBjGpNde
/A8ThZI8dq4VMd4X9gputmJCR11csPd/Xlj0c/JT3ncY3DqhNrCKpytB91yQ3KRhakPOiuJg
9eEIQaRAcg+8r61O/AUDYKda5EiOhMjBFSEW5OttQDuBGrs1DqI1SdG0+6MRw+/dy+p1Y8hr
BDquedPXDXXASjdDhPB5b25H9FZbAgMBAAGjggNdMIIDWTAJBgNVHRMEAjAAMAsGA1UdDwQE
AwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFJl6wVm9f63G
9h7+BJPIzTmpB8UsMB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MB0GA1UdEQQW
MBSBEmFsdGVyM2RAYWx0ZXIzZC5jYTCCAdEGA1UdIASCAcgwggHEMIIBwAYLKwYBBAGBtTcB
AgIwggGvMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRm
MDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9pbnRlcm1lZGlhdGUucGRm
MIIBRQYIKwYBBQUHAgIwggE3MCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5
MAMCAQEaggEKVGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUg
Q2xhc3MgMiBWYWxpZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ2VydGlm
aWNhdGlvbiBBdXRob3JpdHkgcG9saWN5IGFuZCBtYXkgYmUgcmVsaWVkIHVwb24gb25seSBm
b3IgdGhlIGludGVuZGVkIHB1cnBvc2UgYW5kIGluIGNvbXBsaWFuY2Ugb2YgdGhlIHJlbHlp
bmcgcGFydHkgb2JsaWdhdGlvbnMuIExpYWJpbGl0eSBhbmQgd2FycmFudGllcyBhcmUgbGlt
aXRlZCEwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5zdGFydHNzbC5jb20vY3J0dTIt
Y3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3Rh
cnRzc2wuY29tL3N1Yi9jbGFzczIvY2xpZW50L2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlh
LnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNsaWVudC5jYS5jcnQwIwYDVR0SBBww
GoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IBAQA672U9w+xX
kDPTd9PEbcZb2vQoUPbHHlf47y9n0zBsZGfOpK1PtcXVLEwpVdWzfiC17Sy6TjdkkcBlm8FU
9uiXQT9QI2j72sdxp3Ij2y13lhN909QxwU70e9hyrXEmemKdvC7Vqk8UDxH36uN+9i9+TsS+
ZDQ6OTpQXDGkEqxljWVB9QrYMoyPcqkg1T9CRXSKQsOyE1B21b9LlOOMKYDvq+PnKcVPL98i
1PebX0HsJUkwsH87Wl7vFUO+6KJ/6O/3jUY/yV2e1yiQF3d72FtAL9hgVXvr1cxTXy/dF3z7
St5Ygz72USSyT+Do1fJiEqJvWl3DaCYNNTCD0Tf+4MCYMYID2jCCA9YCAQEwgZMwgYwxCzAJ
BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGln
aXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFBy
aW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQQICEokwCQYFKw4DAhoFAKCCAhswGAYJKoZI
hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTIxMjE0MjMwMzA1WjAjBgkq
hkiG9w0BCQQxFgQUy4C0PQuugu77QvVmqlNefXbGog8wbAYJKoZIhvcNAQkPMV8wXTALBglg
hkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggq
hkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBpAYJKwYBBAGCNxAEMYGWMIGT
MIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2Vj
dXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xh
c3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAhKJMIGmBgsqhkiG9w0BCRAC
CzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNV
BAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0
Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgISiTANBgkqhkiG
9w0BAQEFAASCAQAOvzFYHXgNDBDb+A9zKMqOCJBTIURobkUfCNfAIjcJZ0CAC7bNUY/EiRAt
/2HoCoH70tNRrgTkhw38yjvN5Lf3HT5v6Fe+rjpCJ1P6feoAc0lKyTXWqtvUVgZXkyiQ5bYc
bSYPfKXh4atBUX1agnih+VReE5ajU5/923ixWrvdSlR4rLD3I7Mx7HRZE3T3D+pCwywDk9lI
VPgvz3/MXdFgVxPdPdSW9BjZ1ugkGHJxiTNu3GS1sD8yrbvSbyCGMwhWBH4LNYJ9PvZKq2cv
5E0XjsCY+6Ar+1psaA2b4sZrvcCb/o57oSR6eN++ZDzo4w2BaCcD3ouH0pUS4KKzLlSRAAAA
AAAA
--------------ms040102070509050008060904--
