Updating SSL keys on fedoraproject.org 2011-03-10
Stephen John Smoogen
smooge at gmail.com
Thu Mar 10 17:17:36 UTC 2011
On Thu, Mar 10, 2011 at 01:07, Petr Pisar <ppisar at redhat.com> wrote:
> On 2011-03-10, Stephen Smoogen <smooge at gmail.com> wrote:
>>
>> We have already updated fedorahosted.org and will now be updating the
>> cert for the main site: fedoraproject.org.
>>
>> The old certificate came from Equifax, was a 1024 bit key and had the
>> fingerprint:
> [...]
>> The new certificate is issued by GeoTrust, Inc and is a 4096 bit key
>> with the fingerprint:
>>
> Key length is not everything. Didn't you forget to upgrade hash
> algorithm? Sticking on SHA-1 that's been abandoned by ETSI and other
> authorities does not look most safely.
>From my research to use the SHA-2 in TLS requires the user and server
to be both able to talk TLS-1.2. From what I found at wikipedia
(http://en.wikipedia.org/wiki/Transport_Layer_Security) Firefox does
not support 1.2 (only Opera and IE8 do).
> -- Petr
>
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
>
--
Stephen J Smoogen.
"The core skill of innovators is error recovery, not failure avoidance."
Randy Nelson, President of Pixar University.
"Let us be kind, one to another, for most of us are fighting a hard
battle." -- Ian MacLaren
More information about the devel
mailing list