[179108] in North American Network Operators' Group
Re: FIXED - Re: Broken SSL cert caused by router?
daemon@ATHENA.MIT.EDU (Tom Taylor)
Mon Mar 30 16:49:32 2015
X-Original-To: nanog@nanog.org
Date: Mon, 30 Mar 2015 13:41:50 -0400
From: Tom Taylor <tom.taylor.stds@gmail.com>
To: nanog@nanog.org
In-Reply-To: <20150330035605.88087.qmail@ary.lan>
Errors-To: nanog-bounces@nanog.org
On 29/03/2015 11:56 PM, John Levine wrote:
>> SSLCertificateChainFile /etc/ssl/certs/gd_bundle-g2-g1.crt
>>
>> I have actually fixed it.
>
> Yeah, that's always it.
>
> Back in the good aulde days all of the SSL certs one might buy were
> signed directly by the CA, but now more often than not there are
> intermediate certs, and a valid cert needs to be accompanied by all of
> the intermediate certs between it and the CA.
>
> What makes debugging hard is that browsers try to be helpful. If a
> server doesn't provide the intermediate certs, but the browser happens
> to have them in its cache from some other site, well, close enough and
> the SSL works. But if some other browser doesn't happen to have them,
> you lose.
>
> So if your SSL is flaky, check those intermediate certs first.
>
> R's,
> John
>
With all this resolved, I'll note that I just reviewed
draft-ietf-tls-sslv3-diediedie, which is in IETF Last Call prior to
publication as an RFC. It deprecates the use of any version of SSL in
favour of TLS 1.2 in the clientHello negotiations.
Tom Taylor
