[Operators] ECDSA certs score F

shmick at riseup.net shmick at riseup.net
Thu Aug 7 19:38:48 UTC 2014


hi Thijs,

Thijs Alkemade wrote:
> 
> On 26 jul. 2014, at 05:18, shmick at riseup.net wrote:

>> i dont know what's up with the s2s though
>>
>>
> 
> It’s still unimplemented because I didn’t have any server to test against when I set it up.

i tried mqas.net again s2s but froze again completing only the cert score

> 
> There’s also the minor issue that I’m not sure exactly how to grade ECDSA keys, but I think giving them all 100 points makes sense (equivalent to 4096 bit RSA).
> 
> Your TLSA records are for your domain, not for your SRV target. That doesn’t match draft-ietf-dane-srv.

much thanks - the RRs were ammended

> 
> Thijs
> 

still testing s2s with problems & some debug output received is as
follows - if you think any more could be useful let me know for reply

socket  debug   ssl handshake error: unknown protocol
socket  debug   closing client with id: da9860 unknown protocol
s2sindc5010     debug   s2s disconnected: observatory.xmpp.net->mqas.net
(unknown protocol)
s2sindc5010     debug   Destroying incoming session
observatory.xmpp.net->mqas.net: unknown protocol
socket  debug   handshake failed because: unknown protocol


s2sindcee30     debug   certificate chain validation result: invalid
s2sindcee30     debug   certificate error(s) at depth 0: self signed
certificate
mod_s2s warn    Forbidding insecure connection to/from observatory.xmpp.net

s2sindcee30   info    incoming s2s stream observatory.xmpp.net->mqas.net
closed: Your server's certificate
is invalid, expired, or not trusted by mqas.net
s2sindcee30     debug   Destroying incoming session
observatory.xmpp.net->mqas.net:
Your server's certificate is invalid, expired, or not trusted by mqas.net
socket        debug   try to close client connection with
id: dcf7b0
socket       debug   closing delayed until writebuffer is emptysocket
    debug   closing client after
writing socket  debug   closing client with id: dcf7b0


More information about the Operators mailing list