FIXED - Re: Broken SSL cert caused by router?

Tom Taylor tom.taylor.stds at gmail.com
Mon Mar 30 17:41:50 UTC 2015


On 29/03/2015 11:56 PM, John Levine wrote:
>> SSLCertificateChainFile /etc/ssl/certs/gd_bundle-g2-g1.crt
>>
>> I have actually fixed it.
>
> Yeah, that's always it.
>
> Back in the good aulde days all of the SSL certs one might buy were
> signed directly by the CA, but now more often than not there are
> intermediate certs, and a valid cert needs to be accompanied by all of
> the intermediate certs between it and the CA.
>
> What makes debugging hard is that browsers try to be helpful.  If a
> server doesn't provide the intermediate certs, but the browser happens
> to have them in its cache from some other site, well, close enough and
> the SSL works.  But if some other browser doesn't happen to have them,
> you lose.
>
> So if your SSL is flaky, check those intermediate certs first.
>
> R's,
> John
>

With all this resolved, I'll note that I just reviewed
draft-ietf-tls-sslv3-diediedie, which is in IETF Last Call prior to 
publication as an RFC. It deprecates the use of any version of SSL in 
favour of TLS 1.2 in the clientHello negotiations.

Tom Taylor


More information about the NANOG mailing list