Custom Query (196 matches)
Results (106 - 108 of 196)
Ticket | Resolution | Summary | Owner | Reporter |
---|---|---|---|---|
#48 | fixed | SNI, giving certificates on *.scripts.mit.edu for FF 2 and IE 7 | presbrey | andersk |
Description |
Currently lockername.scripts.mit.edu gives a certificate error. We have a valid certificate for *.scripts.mit.edu but it is currently not used. The problem is that (modulo recent extensions) the HTTPS protocol doesn’t support sending the virtual host name before the server must decide which certificate to present. There have been two proposed solutions. One is to use the SNI extension. This requires upgrading OpenSSL to at least 0.9.8f, patching mod_ssl, and using relatively recent browsers (old browsers will fall back to the current behavior). The other is to move *.scripts.mit.edu to a separate IP from scripts.mit.edu, so that the server knows which certificate to present based on the IP. This is less general (we can’t extend this to work with arbitrary vhosts), but we could probably implement it now. |
|||
#371 | fixed | SMTP should be checked on a realserver properly | achernya | |
Description |
Currently, the directors check port 25 on each machine to see if postfix is running. This is bad, since it means we can't nolvs a machine and prevent it from also handling mail. Mitch wrote patches a few years ago that use the nagios ldap check and provide the smtp service that heartbeat can ping. This allows us to nolvs a machine and have it drop out of all services, meaning we can temporarily take a wedged machine out of the pool for debugging. |
|||
#400 | fixed | SHA-1 certificates from mitcert since 2013 will be degraded by Chrome | andersk | |
Description |
davidben points out that Chrome will be degrading SHA-1 certificates valid past 2016-01-01:
This seems to include all certificates that mitcert/InCommon has issued (and continues to issue!) since 2013-01-01, since they have a three year expiration date. So we’re going to need to replace all these certificates soon. This might also be a good excuse to move to a 2048-bit private key (because a 4096-bit certificate signed by 2048-bit CAs provides no security benefit and is noticeably slower). |