cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Michael Tänzer <michael.taenzer AT cacert.org>
- To: cacert-sysadm AT lists.cacert.org
- Subject: Re: apache2 config difference secure.c.o/lists.c.o
- Date: Tue, 22 Oct 2013 04:08:55 +0200
- Openpgp: id=9940BEF1
Hi Andre,
On 22.10.2013 02:52, Andre Klärner wrote:
> can someone explain to me why the certificate login on lists.cacert.org
> works with an Android 4.3 device while the secure.cacert.org login doesn't?
There are a few significant differences I can tell from my mind (for the
details someone will have to do a more detailed comparison by looking at
the configurations):
- Lists runs on Debian 7 while the critical web server is still on 6
with all consequences (older OpenSSL version, Apache etc.)
- The critical web server does the revocation checking by looking up the
certificate directly in the database, therefore if the certificate was
revoked or not marked for "Login" in the account, the web server will
refuse the certificate. Revocation checking might however not be
implemented correctly on the lists server, especially with the problems
with CRL download
> I tried both with the same certificate, the same browser (Chrome on
> Android) and the same Android, just seconds one from each other, but the
> request on secure.cacert.org fails with the usual "cannot negotiate ssl…"
> while the login on Sympha works perfectly (actually I discovered that by in
> a routine just clicking on the cert while following an archive link and
> tried the cert logon on secure.cacert.org just to test it out).
Can you try to get a more exact error message? Something that indicates
what exactly caused handshake to fail (e.g. no matching cipher suite,
invalid server certificate, no suitable client certificate, certificate
authentication denied). That would help a lot to narrow down where the
error is to be found.
--
Have a nice day,
Michael Tänzer
Attachment:
signature.asc
Description: OpenPGP digital signature
- apache2 config difference secure.c.o/lists.c.o, Andre Klärner, 10/22/2013
- Re: apache2 config difference secure.c.o/lists.c.o, Michael Tänzer, 10/22/2013
- Re: apache2 config difference secure.c.o/lists.c.o, Andre Klärner, 10/23/2013
- Re: apache2 config difference secure.c.o/lists.c.o, Michael Tänzer, 10/23/2013
- Re: apache2 config difference secure.c.o/lists.c.o, Andre Klärner, 10/23/2013
- Re: apache2 config difference secure.c.o/lists.c.o, Michael Tänzer, 10/22/2013
Archive powered by MHonArc 2.6.18.