Re: Updating SSL keys on fedoraproject.org 2011-03-10

2011-03-14 Thread Petr Pisar
On 2011-03-11, Chris Adams wrote: > Once upon a time, Ralf Ertzinger said: >> this document is about a quite special case (regarding lawfully binding >> digital signatures) and not about SSL in general. > > I took a short look at software support for other SSL hashes: > > - OpenSSL: openssl only

Re: Updating SSL keys on fedoraproject.org 2011-03-10

2011-03-14 Thread Petr Pisar
On 2011-03-11, Chris Adams wrote: > Once upon a time, Petr Pisar said: >> This year? In Europe we are over. All quallified CA's are forbiden to >> issue SHA-1 certificates since begin of 2010. > > Cite? There is a study ETSI TS 102 176-1 V2.0.0 (called `ALGO Paper')

Re: Updating SSL keys on fedoraproject.org 2011-03-10

2011-03-11 Thread Elio Maldonado
On 03/11/2011 12:18 PM, Chris Adams wrote: Once upon a time, Ralf Ertzinger said: this document is about a quite special case (regarding lawfully binding digital signatures) and not about SSL in general. I took a short look at software support for other SSL hashes: - OpenSSL: openssl only off

Re: Updating SSL keys on fedoraproject.org 2011-03-10

2011-03-11 Thread Chris Adams
Once upon a time, Ralf Ertzinger said: > this document is about a quite special case (regarding lawfully binding > digital signatures) and not about SSL in general. I took a short look at software support for other SSL hashes: - OpenSSL: openssl only offers md5, sha1, md2, mdc2, md4 for generati

Re: Updating SSL keys on fedoraproject.org 2011-03-10

2011-03-11 Thread Till Maas
On Fri, Mar 11, 2011 at 08:37:39PM +0100, Ralf Ertzinger wrote: > Hi. > > On Fri, 11 Mar 2011 20:22:55 +0100, Till Maas wrote > > > I assume he meant since Januar 2011. This is at least the official > > statement for Germany: > > > > http://www.bundesnetzagentur.de/DE/Sachgebiete/QES/Veroeffentl

Re: Updating SSL keys on fedoraproject.org 2011-03-10

2011-03-11 Thread Ralf Ertzinger
Hi. On Fri, 11 Mar 2011 20:22:55 +0100, Till Maas wrote > I assume he meant since Januar 2011. This is at least the official > statement for Germany: > > http://www.bundesnetzagentur.de/DE/Sachgebiete/QES/Veroeffentlichungen/Algorithmen/algorithmen_node.html > http://www.bundesnetzagentur.de/cae

Re: Updating SSL keys on fedoraproject.org 2011-03-10

2011-03-11 Thread Till Maas
On Fri, Mar 11, 2011 at 08:44:55AM -0600, Chris Adams wrote: > Once upon a time, Petr Pisar said: > > This year? In Europe we are over. All quallified CA's are forbiden to > > issue SHA-1 certificates since begin of 2010. > > Cite? https://europa.eu/ uses SHA-1 on a cert issued in February 2010.

Re: Updating SSL keys on fedoraproject.org 2011-03-10

2011-03-11 Thread Przemek Klosowski
On 03/11/2011 09:44 AM, Chris Adams wrote: > Cite? https://europa.eu/ uses SHA-1 on a cert issued in February 2010. > Of course, they also haven't disabled the weak SSL ciphers, so it's hard > to claim high security. On my systems all I get is a blank page saying: Access Denied (policy_denie

Re: Updating SSL keys on fedoraproject.org 2011-03-10

2011-03-11 Thread Chris Adams
Once upon a time, Petr Pisar said: > This year? In Europe we are over. All quallified CA's are forbiden to > issue SHA-1 certificates since begin of 2010. Cite? https://europa.eu/ uses SHA-1 on a cert issued in February 2010. Of course, they also haven't disabled the weak SSL ciphers, so it's ha

Re: Updating SSL keys on fedoraproject.org 2011-03-10

2011-03-11 Thread Petr Pisar
On 2011-03-10, Robert Relyea wrote: > SHA-1 is also used in the certificate. That, in theory, doesn't require > TLS 1.2, though only TLS 1.2 includes protocol to tell servers what > hashing algorithms the clients support, so in a strict sense only TLS > tells you whether or not it's safe to use a

Re: Updating SSL keys on fedoraproject.org 2011-03-10

2011-03-10 Thread Robert Relyea
On 03/10/2011 09:17 AM, Stephen John Smoogen wrote: > On Thu, Mar 10, 2011 at 01:07, Petr Pisar wrote: >> On 2011-03-10, Stephen Smoogen wrote: >>> We have already updated fedorahosted.org and will now be updating the >>> cert for the main site: fedoraproject.org. >>> >>> The old certificate came

Updating SSL keys on fedoraproject.org 2011-03-10

2011-03-10 Thread Andre Robatino
Stephen John Smoogen gmail.com> writes: >From my research to use the SHA-2 in TLS requires the user and server > to be both able to talk TLS-1.2. From what I found at wikipedia > (http://en.wikipedia.org/wiki/Transport_Layer_Security) Firefox does > not support 1.2 (only Opera and IE8 do). It's

Re: Updating SSL keys on fedoraproject.org 2011-03-10

2011-03-10 Thread Stephen John Smoogen
On Thu, Mar 10, 2011 at 01:07, Petr Pisar wrote: > On 2011-03-10, Stephen Smoogen wrote: >> >> We have already updated fedorahosted.org and will now be updating the >> cert for the main site: fedoraproject.org. >> >> The old certificate came from Equifax, was a 1024 bit key and had the >> fingerp

Re: Updating SSL keys on fedoraproject.org 2011-03-10

2011-03-10 Thread Petr Pisar
On 2011-03-10, Stephen Smoogen wrote: > > We have already updated fedorahosted.org and will now be updating the > cert for the main site: fedoraproject.org. > > The old certificate came from Equifax, was a 1024 bit key and had the > fingerprint: [...] > The new certificate is issued by GeoTrust, I

Updating SSL keys on fedoraproject.org 2011-03-10

2011-03-09 Thread Stephen Smoogen
Various SSL keys are aging out so we will be updating them before anyone gets a page. We have already updated fedorahosted.org and will now be updating the cert for the main site: fedoraproject.org. The old certificate came from Equifax, was a 1024 bit key and had the fingerprint: SHA1 Fingerpr