Gmail and SSL

Jasper Wallace jasper at pointless.net
Fri Dec 21 07:38:17 UTC 2012


On Fri, 14 Dec 2012, Christopher Morrow wrote:

> On Fri, Dec 14, 2012 at 6:03 PM, Peter Kristolaitis <alter3d at alter3d.ca> wrote:
> > In my experience, free/cheap certs "not working" on some clients is, in
> > 99.9% of cases, a misconfiguration error where the server isn't presenting
> > the cert chain properly (usually omitting the intermediate cert), which
> > works on some platforms (often because they include the intermediate certs
> > to work around these kinds of problems) but not on others.  Fixing the cert
> > chain that's presented to the client has ALWAYS resolved these types of
> > issues in my experience.
> 
> and in the case of the original topic... if the gmail servers don't
> accept StartSSL certs, please let me know I'll see about a fix.

Tangentially to this: any chance of supporting TLSA/DANE records for 
_110._tcp.domain and _995._tcp.domain? (and the IMAP equivalents).

That would let people carry on using self signed certs who prefer to and 
let people who have a cert that chains back to a root CA assert which root 
CA the cert should chain back to, which would be nice in these 
days of diginotar and comodo hacks...

-- 
[http://pointless.net/]                                   [0x2ECA0975]



More information about the NANOG mailing list