X.509 certificates for https://gnupg.org
Werner Koch
wk at gnupg.org
Tue Dec 17 21:21:20 CET 2013
On Tue, 17 Dec 2013 18:52, dkg at fifthhorseman.net said:
> I think it depends on what flavor of IE you're using (and what version
> of the underlying OS you're using as well). The version of schannel in
Seems so. I updated my Windows 7 box to IE11 with no channel. Maybe I
need to update more. Anywa IE11 seems to pretty new.
> If you want to be able to support these systems, you may need to add a
> low-priority "Lowest Common Denominator" ciphersuite to match them.
> Sadly, that seems likely to be TLS_RSA_WITH_3DES_EDE_CBC_SHA, unless
Okay, IE users are anyway on Windows. So why provide PFS for an OS that
may have a direct path to Maryland anyway.
> supported by XP's native TLS stack). I've never even tried to get a DSA
> certificate for a web server from any member of the CA cartel. Have you?
No. I recall that I tried to get a certificate for mail use to test my
DSA code in gpgsm but I was not able to get one. The customer then
dropped the DSA support from the requirements list. For web servers
this should be possible - why else do they add those algorithms. After
all that could be a selling point for an E+V certificate - if they
could only find a new color.
> lowest-common-denominator ciphersuite unless it's the only one they
> support, you should probably set "SSLHonorCipherOrder 1" in your pound
Did exactly that for the g10code site buy now. I'll fix the
intermediate CAcert certifciate problem tomorrow.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list