Re: Certificate mismatch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



tom petch wrote:
> 
>> <ynir.ietf@xxxxxxxxx> wrote:
>>
>>> tom petch <daedulus@xxxxxxxxxxxxx> wrote:
>>>
>>> Running on a backup computer, I get a certificate mismatch message when I 
>>> try to access the datatracker using the link from the IESG page and a 
>>> warning that I really should not proceed to this dangerous website.
>>>
>>> Indeed, the website is datatracker.ietf.org and the certificate 
>>> *.iab.org
>>>
>>> Has something changed, or is this just a configuration quirk (Internet 
>>> Explorer) on my backup system?
>>
>> Is your Internet Explorer old enough to not send SNI?
>> 
>> Which, according to Wikipedia, is equivalent to asking if your backup 
>> computer is running XP.
> 
> Spot on.  I know SNI well but had not realised that it was  lacking from the 
> tried and tested, trusty XP (which makes it a good choice for a backup 
> system:-).


For the IETF web sites in question, this explanation is a pretty
lame excuse for the server-side failure to present a reasonable server
certificate.  It's not like the IAB and the datatracker are from
completely seperate competing secretive organtizations that the current
setup would be a vital requirement.

The obvious correct fix would be to obtain one single proper server
certificate that lists the all the necessary hostnames as "SubjectAltNames"
of type dnsName (see rfc2818 Section 3), and then interop would just work,
even for stuff that isn't (heart)bleeding edge technology.  At least 
in the past, interoperability was considered important in the IETF.


-Martin





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]