nanog mailing list archives
Re: Gmail and SSL
From: Peter Kristolaitis <alter3d () alter3d ca>
Date: Fri, 14 Dec 2012 18:03:05 -0500
I've heard this argument fairly often when I mention free/cheap certificates to colleagues, etc, but no one has ever actually pointed to a reasonable case where this is true ("the 20 year old VMS system that I've never patched running OpenSSL 0.0.0.0.1-pre-alpha doesn't work" doesn't count...).
I tested my StartSSL certs against quite a number of clients and haven't found anything reasonably modern (say in the last 10 years) that didn't work either out of the box or by updating the root CA list from the OS vendor via the OS' standard patching mechanism
In my experience, free/cheap certs "not working" on some clients is, in 99.9% of cases, a misconfiguration error where the server isn't presenting the cert chain properly (usually omitting the intermediate cert), which works on some platforms (often because they include the intermediate certs to work around these kinds of problems) but not on others. Fixing the cert chain that's presented to the client has ALWAYS resolved these types of issues in my experience.
If you have specific example that you know breaks with a specific (free/cheap cert, client) pair, I'd love to know so I can test it (if possible, i.e. I can actually get my hands on the client device/software).
- Pete On 12/14/2012 4:45 PM, Matthew Black wrote:
A major problem with free or low-cost certificates is that their intermediate CA certificate does not always point back to a root certificate in client machines and/or software. matthew black california state university, long beach -----Original Message----- From: Peter Kristolaitis [mailto:alter3d () alter3d ca] Sent: Friday, December 14, 2012 7:53 AM To: nanog () nanog org Subject: Re: Gmail and SSL On 12/14/2012 10:47 AM, Randy wrote:I don't have hundreds of dollars to get my ssl certificates signedYou can get single-host certificates issued for free from StartSSL, or for very cheaply (under $10) from low-cost providers like CheapSSL.com. I've never had a problem having my StartSSL certs verified by anyone. - Pete
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Gmail and SSL Randy (Dec 14)
- Re: Gmail and SSL John Peach (Dec 14)
- Re: Gmail and SSL Tim Franklin (Dec 14)
- Re: Gmail and SSL Christopher Morrow (Dec 14)
- Re: Gmail and SSL Eugen Leitl (Dec 14)
- Re: Gmail and SSL Christopher Morrow (Dec 14)
- Re: Gmail and SSL Tim Franklin (Dec 14)
- Re: Gmail and SSL John Peach (Dec 14)
- Re: Gmail and SSL Maxim Khitrov (Dec 14)
- RE: Gmail and SSL Matthew Black (Dec 14)
- Re: Gmail and SSL Peter Kristolaitis (Dec 14)
- Re: Gmail and SSL Christopher Morrow (Dec 14)
- Re: Gmail and SSL Jasper Wallace (Dec 20)
- Re: Gmail and SSL Peter Kristolaitis (Dec 29)
- <Possible follow-ups>
- Re: Gmail and SSL Keith Medcalf (Dec 30)
- Re: Gmail and SSL Christopher Morrow (Dec 30)
- Re: Gmail and SSL Jimmy Hess (Dec 30)
- Re: Gmail and SSL John Levine (Dec 30)
- Re: Gmail and SSL Jimmy Hess (Dec 30)
- Re: Gmail and SSL Rich Kulawiec (Dec 31)