[u-u] Odds and Ends

[Dan Astoorian]

On Fri, 20 Jul 2018 16:19:58 EDT, Unix Unanimous writes:
> 	Removal os the "s" is not secure ... we added a new
> 	Let's Encrypt cert recently & even tho cert testers
> 	seem to like it, browsers often take several clicks
> 	on "Try Again" to make it work for some reason
> 
> 
> 	Perhaps we will replace the cert soon if further
> 	debugging doesn't turn up anything, sigh :\

Not sure how recently "recently" is, but I sent mail about this on June
11 to www-uu at unixunanimous.org; I never received a reply (or even
acknowlegement that the message was received).

At the time, the certificate on the page had expired on 12/30/2016 (so I
assume this was before the switch to Let's Encrypt), but
even ignoring the expiry problem, browsers were intermittently refusing
to connect, with Firefox reporting
"SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH" (apparently meaning "SSL
received an unexpected Server Key Exchange handshake message."), and
chromium-browser (66.0.3359.170) reporting "ERR_SSL_PROTOCOL_ERROR" with
the diagnostic "[...:ERROR:ssl_client_socket_impl.cc(1098)] handshake
failed; returned -1, SSL error code 1, net_error -107".

So I don't think the problem is the certificate; my guess is that the
server software has some configuration issues.  Tweaking the available
protocols and/or cipher suites (SSLProtocol, SSLCipherSuite,
SSLHonorCipherOrder) might help--perhaps the server is offering ciphers
that modern software just consider broken.

Or maybe the NSA's packet sniffer is having trouble interpolating itself
between the server and its clients transparently :-)

-- 
Dan Astoorian, Systems Administrator
Engineering Computing Facility
University of Toronto