Custom Query (196 matches)

This is because the trac.fcgis are all symlinks to the same executable, so Apache thinks they're the same script and reuses old processes from one site for the other site. A simple solution is to copy /mit/scripts/deploy/trac/trac.fcgi into place instead of symlinking it.

davidben points out that ​Chrome will be degrading SHA-1 certificates valid past 2016-01-01:

The following changes to Chromium's handling of SHA-1 are proposed:

• All SHA-1-using certificates that are valid AFTER 2017/1/1 are treated insecure, but without an interstitial. That is, they will receive a degraded UI indicator, but users will NOT be directed to click through an error page.
• Additionally, the mixed content blocker will be taught to treat these as mixed content, which WILL require a user action to interact with.
• All SHA-1-using certificates that are valid AFTER 2016/1/1 are treated as insecure, but without an interstitial. They will receive a degraded UI indicator, but will NOT be treated as mixed content.

This seems to include all certificates that mitcert/InCommon has issued (and continues to issue!) since 2013-01-01, since they have a three year expiration date.

So we’re going to need to replace all these certificates soon. This might also be a good excuse to move to a 2048-bit private key (because a 4096-bit certificate signed by 2048-bit CAs provides no security benefit and is noticeably slower).

Currently, the directors check port 25 on each machine to see if postfix is running. This is bad, since it means we can't nolvs a machine and prevent it from also handling mail. Mitch wrote patches a few years ago that use the nagios ldap check and provide the smtp service that heartbeat can ping. This allows us to nolvs a machine and have it drop out of all services, meaning we can temporarily take a wedged machine out of the pool for debugging.