On 8/30/2011 2:42 PM, Erwann ABALEA wrote:
Bonjour,
Hodie III Kal. Sep. MMXI, Lutz Jaenicke scripsit:
I have just installed a new 3 year wildcard "*.openssl.org" certificate
to our web site.
Thanks to GlobalSign for the new donation.
The migration should work more or less unnoted for the users. If you
experience any problems please drop me a message.
Thanks to them, yes.
Maybe you could remove the root CA from file designed by the
SSLCertificateChainFile directive? It's useless to send it to the
client, as you know, and you may gain 1 TCP packet (+ ACK in return)
during the negotiation.
Actually, as an experienced web user I prefer the ability to see the
self-signed CA certificate, because
it is helpful in 2 situations:
1) The CA has changed/improved the attributes, e.g. by extending the
expiry date or adding a CRL
location for detecting future root cert revocation (a good precaution
for CA's to take, coupled with
a pre-generated key compromise CRL stored somewhere off-site but secure).
2) My browser lacks the CA cert, in which case having it at hand
eliminates one of the two steps
in securely adding it (the other step is to compare the cert hash
("fingerprint") with a known published
value).
You should also disable SSLv2, and<128bits ciphers.
I think those are there for the "test your key strength" subsite, and
for bootstrapping users
who are starting from an old pre-2000 floppy/CD and now need to advance
to modern key
strengths. (Yes, I do have such old OS and browser CDs tucked away
somewhere from
before everything became downloads).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
