From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/77684
Path: news.gmane.org!not-for-mail
From: Matthias Andree <matthias.andree@gmx.de>
Newsgroups: gmane.emacs.gnus.general
Subject: Re: SSL certificate issues for git.gnus.org
Date: Mon, 14 Mar 2011 10:30:22 +0100
Message-ID: <4D7DE02E.204@gmx.de>
References: <87sk71o198.fsf@lifelogs.com>	<m3633p8xv9.fsf@passepartout.tim-landscheidt.de>	<87fx2tq8nx.fsf@lifelogs.com>	<m3k4ryfq9w.fsf@passepartout.tim-landscheidt.de>	<87r5m6gvgb.fsf_-_@lifelogs.com> <87sjvb7p4z.fsf@lifelogs.com>	<8762s7n3gq.fsf@topper.koldfront.dk> <87fwrb67zq.fsf@lifelogs.com>	<87wrknlnz4.fsf@topper.koldfront.dk> <8739n80x9j.fsf@lifelogs.com>	<871v2rg9g4.fsf@dod.no> <87wrkj15yb.fsf@lifelogs.com>	<yb01v2run68.fsf@dod.no> <m3lj0tojta.fsf@quimbies.gnus.org>	<87bp1m3kpx.fsf@lifelogs.com> <87lj0ne2cq.fsf@latte.josefsson.org>	<yb0pqpzdwb8.fsf@dod.no> <877hc663xo.fsf@latte.josefsson.org>	<87sjuuiqj0.fsf@lifelogs.com> <87lj0mfbca.fsf@latte.josefsson.org>	<m339mqbqwf.fsf@quimbies.gnus.org> <87y64i2i3e.fsf@latte.josefsson.org>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: dough.gmane.org 1300111767 18877 80.91.229.12 (14 Mar 2011 14:09:27 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Mon, 14 Mar 2011 14:09:27 +0000 (UTC)
Cc: Simon Josefsson <simon@josefsson.org>
To: larsi@gnus.org, ding@gnus.org
Original-X-From: ding-owner+M26007@lists.math.uh.edu Mon Mar 14 15:09:22 2011
Return-path: <ding-owner+M26007@lists.math.uh.edu>
Envelope-to: ding-account@gmane.org
Original-Received: from util0.math.uh.edu ([129.7.128.18])
	by lo.gmane.org with esmtp (Exim 4.69)
	(envelope-from <ding-owner+M26007@lists.math.uh.edu>)
	id 1Pz8SW-0005mR-Pv
	for ding-account@gmane.org; Mon, 14 Mar 2011 15:09:21 +0100
Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu)
	by util0.math.uh.edu with smtp (Exim 4.63)
	(envelope-from <ding-owner+M26007@lists.math.uh.edu>)
	id 1Pz8RG-00048q-HY; Mon, 14 Mar 2011 09:08:02 -0500
Original-Received: from mx2.math.uh.edu ([129.7.128.33])
	by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.63)
	(envelope-from <matthias.andree@gmx.de>)
	id 1Pz46w-0002ty-4p
	for ding@lists.math.uh.edu; Mon, 14 Mar 2011 04:30:46 -0500
Original-Received: from quimby.gnus.org ([80.91.231.51])
	by mx2.math.uh.edu with esmtp (Exim 4.72)
	(envelope-from <matthias.andree@gmx.de>)
	id 1Pz46r-0006UP-KO
	for ding@lists.math.uh.edu; Mon, 14 Mar 2011 04:30:45 -0500
Original-Received: from mailout-de.gmx.net ([213.165.64.23])
	by quimby.gnus.org with smtp (Exim 4.72)
	(envelope-from <matthias.andree@gmx.de>)
	id 1Pz46q-0001Ea-1Z
	for ding@gnus.org; Mon, 14 Mar 2011 10:30:40 +0100
Original-Received: (qmail invoked by alias); 14 Mar 2011 09:30:34 -0000
Original-Received: from dtmd-4d0bdc28.pool.mediaWays.net (EHLO [192.168.178.26]) [77.11.220.40]
  by mail.gmx.net (mp043) with SMTP; 14 Mar 2011 10:30:34 +0100
X-Authenticated: #428038
X-Provags-ID: V01U2FsdGVkX18ATmh84UgAXkb6N3zjY5ubH/LF0yhN9d68t457NU
	XSnYH+AVrzvsaI
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.15) Gecko/20110303 Mnenhy/0.8.3 Thunderbird/3.1.9
In-Reply-To: <87y64i2i3e.fsf@latte.josefsson.org>
X-Y-GMX-Trusted: 0
X-Spam-Score: -1.9 (-)
List-ID: <ding.gnus.org>
Precedence: bulk
Xref: news.gmane.org gmane.emacs.gnus.general:77684
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/77684>

Am 14.03.2011 09:59, schrieb Simon Josefsson:

> It is not strictly needed, but you may want to make the web server send
> the following as an intermediate certificate too:
>
> http://www.cacert.org/certs/class3.txt

Lars, please do, in order to establish proper practice - servers are 
supposed to send all intermediate CA certificates, too, in the right order.

 > Then clients only have to trust the root CACert CA without also knowing
> the intermediate CACert certificate.  I suspect most clients already
> trust the intermediate CACert CA anyway though.

For CAcert it's fine because the intermediate CA is usually trusted, but 
generally it is a bad thing, as it breaks end user setups. I've been 
through this 3-layered intermediate stuff with DFN setups more than a 
dozen times.

> If you are using apache with mod_gnutls (Debian libapache2-mod-gnutls)
> just concatenate the git.gnus.org PEM blob above with the PEM blob in
> the URL above into a text file and then point to the files like this:
>
>          GnuTLSEnable on
>          GnuTLSCertificateFile /etc/ssl/private/git.gnus.org-chain.pem
>          GnuTLSKeyFile /etc/ssl/private/git.gnus.org-key.pem
>          GnuTLSPriorities NORMAL

Similar considerations apply for mod_ssl if you happen to use that.
I can dig up details if desired.

Best regards

-- 
Matthias Andree