[mod_gnutls-devel] [gnutls-help] need help with SNI

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Apr 10 00:20:21 CEST 2014

On 04/09/2014 05:47 PM, Olaf Zaplinski wrote:
> I found a blog mentioning that GnuTLS has problems with subjectAltName:
> http://jan-krueger.net/development/mod_gnutls-and-startssl-level-1-certificates-the-problem-and-solution

that blog post is from more than three years ago.  It may not reflect
the version of mod_gnutls you're using today.

what version of apache are you running?

what version of gnutls are you running?

what version of mod_gnutls are you running?

Your earlier message to gnutls-help provides this link:


this is a zerobin site, certified by CACert, sending
Strict-Transport-Security headers.

For people without the CACert root CA in their trust store, even if they
make a temporary allowance for the guest cert, the STS header will cause
the browser to reject the connection with no user clickthrough allowed.

zerobin also needs javascript, so falling back to wget
--no-check-certificate doesn't produce anything a human can understand.

I don't want this to turn into a discussion about the relative merits of
CACert or the CA cartel or javascript or supposedly-ephemeral data, but
my point is if you want people on the internet to help figure things
out, making it easier for them to see the data they need to see to
understand the situation is probably a good idea.

if there are redacted configs that you're willing to publish, it is
helpful to include them directly in your e-mail response.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140409/3f95ea3c/attachment.sig>

More information about the mod_gnutls-devel mailing list