On 15/6/2022 1:45 am, Viktor Dukhovni wrote:
Two comments on your server setup:
* The server certificate is 4096 bit RSA. This is needlessly turgid.
The issuing CA is 2048 bits, there is little to gain from a
stronger EE key. Some peer libraries may not support keys of this
size.
I use Let's Encrypt. Need to figure out how to change to 2048 bits.
Google search time.
* The "Let's Encrypt CA" chain is configured for compatibility with
legacy Android systems that trust the expired "DST" root CA:
subject=CN = prometheus.mindmedia.com.sg
issuer=C = US, O = Let's Encrypt, CN = R3
subject=C = US, O = Let's Encrypt, CN = R3
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1
subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3
You may have better luck by configuring "certbot" or similar to
build a chain that avoids the ISRG -> DST cross cert.
More Google searching on how to do this.
Thank you for the advice. I will start searching.
P.V.Anthony
