[u-u] Odds and Ends

Bill Duncan bduncan at beachnet.org
Fri Jul 20 16:57:48 EDT 2018 

This is the info I see on there now..

twiggy:~$ openssl s_client -connect unixunanimous.org:443 < /dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates -fingerprint -serial
subject= /CN=www2.infra-service.ca
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
notBefore=Jul 13 04:15:42 2018 GMT
notAfter=Oct 11 04:15:42 2018 GMT
SHA1 Fingerprint=C8:7B:57:36:9A:86:BF:42:9A:C3:A1:6A:8B:CA:E1:1C:84:7D:F8:FD
serial=04CB17E5A0D5649B30FB1C6319C3DBEC2FFA


On Fri, Jul 20, 2018 at 04:46:18PM -0400, Dan Astoorian wrote:
> On Fri, 20 Jul 2018 16:19:58 EDT, Unix Unanimous writes:
> > 	Removal os the "s" is not secure ... we added a new
> > 	Let's Encrypt cert recently & even tho cert testers
> > 	seem to like it, browsers often take several clicks
> > 	on "Try Again" to make it work for some reason
> > 
> > 
> > 	Perhaps we will replace the cert soon if further
> > 	debugging doesn't turn up anything, sigh :\
> 
> Not sure how recently "recently" is, but I sent mail about this on June
> 11 to www-uu at unixunanimous.org; I never received a reply (or even
> acknowlegement that the message was received).
> 
> At the time, the certificate on the page had expired on 12/30/2016 (so I
> assume this was before the switch to Let's Encrypt), but
> even ignoring the expiry problem, browsers were intermittently refusing
> to connect, with Firefox reporting
> "SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH" (apparently meaning "SSL
> received an unexpected Server Key Exchange handshake message."), and
> chromium-browser (66.0.3359.170) reporting "ERR_SSL_PROTOCOL_ERROR" with
> the diagnostic "[...:ERROR:ssl_client_socket_impl.cc(1098)] handshake
> failed; returned -1, SSL error code 1, net_error -107".
> 
> So I don't think the problem is the certificate; my guess is that the
> server software has some configuration issues.  Tweaking the available
> protocols and/or cipher suites (SSLProtocol, SSLCipherSuite,
> SSLHonorCipherOrder) might help--perhaps the server is offering ciphers
> that modern software just consider broken.
> 
> Or maybe the NSA's packet sniffer is having trouble interpolating itself
> between the server and its clients transparently :-)
> 
> -- 
> Dan Astoorian, Systems Administrator
> Engineering Computing Facility
> University of Toronto
> _______________________________________________
> u-u mailing list
> u-u at unixunanimous.org
> https://unixunanimous.org/mailman/listinfo/u-u

-- 
Bill Duncan,         | http://billduncan.org/
bduncan at beachnet.org | - linux/unix/network
+1 416 697-9315      | - performance engineering

More information about the u-u mailing list