SSL on

Pete Stephenson pete at
Mon Sep 9 15:58:14 CEST 2013

On Mon, Sep 9, 2013 at 3:19 PM, Werner Koch <wk at> wrote:
> Due to public demand I enabled https for on v4 and v6.  IT
> is a 2048 bit CaCert certificate, so you need to install the cacert root
> certificate.


> Note also that recent Mozilla browsers tell you in the certificate
> details that they can't verify the certificate because it uses an
> insecure algorithm - which seems to be SHA-1.  Now if SHA-1 would be the
> weakest link in the whole web security domain we could easily solve all
> problems.  It is just funny how they try to fix a broken infrastructure.

According to
that's because the CAcert Class 3 intermediate cert was signed using
MD5, which is indeed insecure for such purposes. See

They have a newer Class 3 intermediate cert at that is signed by the CAcert root
using SHA256. Simply swapping out the intermediates should solve the

Personally, I prefer the free certs issued by StartSSL as their root
is installed by default in most systems/browsers. The CAcert root
isn't (yet -- there's a bunch of work needed to be done to get the
CAcert root to pass an audit and be included). Your mileage, of
course, may vary.

Pete Stephenson

More information about the Gnupg-users mailing list