httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Stradling <rob.stradl...@comodo.com>
Subject Re: mod_ssl patch: use new OpenSSL features to autofix cert chains
Date Thu, 27 Mar 2014 16:48:37 GMT
On 27/03/14 14:04, Daniel Kahn Gillmor wrote:
> On 03/27/2014 09:27 AM, Emilia Kasper wrote:
<snip>
>> As I said, I have low faith in admin intervention.. According to SSL pulse,
>> 6% of Alexa top 200K sites serve an incomplete chain. You'd think they'd
>> notice.
>
> I share your skepticism, but to be fair, most of the tools folks are
> faced with right now don't give them *any* pointers about what needs to
> be done, or even whether they've done the right thing or not.
>
> For most sysadmins (who have lots of different tasks to take care of
> that don't relate to the arcana of X.509 validation) the prospect of
> sorting this out is "spend a couple hours on search engines reading
> random blog posts that disagree with each other to figure out what you
> might need to do, and when you're done you won't even be sure that
> you're done."
>
> Given this disappointing and frustrating scenario, i am not surprised
> that many people don't even bother trying.
>
> You're talking about improving the toolchains they have so that they get
> more concrete feedback about what they're doing and explicit suggestions
> about what needs to be done to fix the problems.  i think that's great.

BTW, a big +1 on wanting to do something to reduce the number of servers 
with misconfigured chains!

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

Mime
View raw message