[159075] in North American Network Operators' Group
Re: Gmail and SSL
daemon@ATHENA.MIT.EDU (Jasper Wallace)
Fri Dec 21 02:38:29 2012
Date: Fri, 21 Dec 2012 07:38:17 +0000 (GMT)
From: Jasper Wallace <jasper@pointless.net>
To: Christopher Morrow <morrowc.lists@gmail.com>
In-Reply-To: <CAL9jLaYAmV8hSEKJnrZKowH95F1pO83EvQjXvSP8-4SDTWZmeg@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, 14 Dec 2012, Christopher Morrow wrote:
> On Fri, Dec 14, 2012 at 6:03 PM, Peter Kristolaitis <alter3d@alter3d.ca> wrote:
> > In my experience, free/cheap certs "not working" on some clients is, in
> > 99.9% of cases, a misconfiguration error where the server isn't presenting
> > the cert chain properly (usually omitting the intermediate cert), which
> > works on some platforms (often because they include the intermediate certs
> > to work around these kinds of problems) but not on others. Fixing the cert
> > chain that's presented to the client has ALWAYS resolved these types of
> > issues in my experience.
>
> and in the case of the original topic... if the gmail servers don't
> accept StartSSL certs, please let me know I'll see about a fix.
Tangentially to this: any chance of supporting TLSA/DANE records for
_110._tcp.domain and _995._tcp.domain? (and the IMAP equivalents).
That would let people carry on using self signed certs who prefer to and
let people who have a cert that chains back to a root CA assert which root
CA the cert should chain back to, which would be nice in these
days of diginotar and comodo hacks...
--
[http://pointless.net/] [0x2ECA0975]
