Gmail and SSL
jasper at pointless.net
Fri Dec 21 07:38:17 UTC 2012
On Fri, 14 Dec 2012, Christopher Morrow wrote:
> On Fri, Dec 14, 2012 at 6:03 PM, Peter Kristolaitis <alter3d at alter3d.ca> wrote:
> > In my experience, free/cheap certs "not working" on some clients is, in
> > 99.9% of cases, a misconfiguration error where the server isn't presenting
> > the cert chain properly (usually omitting the intermediate cert), which
> > works on some platforms (often because they include the intermediate certs
> > to work around these kinds of problems) but not on others. Fixing the cert
> > chain that's presented to the client has ALWAYS resolved these types of
> > issues in my experience.
> and in the case of the original topic... if the gmail servers don't
> accept StartSSL certs, please let me know I'll see about a fix.
Tangentially to this: any chance of supporting TLSA/DANE records for
_110._tcp.domain and _995._tcp.domain? (and the IMAP equivalents).
That would let people carry on using self signed certs who prefer to and
let people who have a cert that chains back to a root CA assert which root
CA the cert should chain back to, which would be nice in these
days of diginotar and comodo hacks...
More information about the NANOG