[SAC] [OSGeo] #1633: Update OSGeo SSL certificate - if needed

Eli Adam eadam at co.lincoln.or.us
Mon Jan 30 09:44:03 PST 2017 

On Mon, Jan 30, 2017 at 8:03 AM, Alex Mandel <tech_dev at wildintellect.com> wrote:
> On 01/30/2017 12:11 AM, OSGeo wrote:
>> #1633: Update OSGeo SSL certificate - if needed
>> ---------------------------------+--------------------
>>  Reporter:  msmitherdc           |       Owner:  sac@…
>>      Type:  task                 |      Status:  new
>>  Priority:  critical             |   Milestone:
>> Component:  Systems Admin        |  Resolution:
>>  Keywords:  ssl web certificate  |
>> ---------------------------------+--------------------
>>
>> Comment (by strk):
>>
>>  Only 9 months are elapsed since the SSL.com certificate was issued, so
>>  there should be time before we switch. Could your issue be a temporary
>>  glitch on Travis ? I'm all for switching all to letsencrypt and happy to
>>  do it but wouldn't rush if not needed. Anyway, my SSL cert (letsencrypt)
>>  is rated A (for comparison):
>>  https://www.ssllabs.com/ssltest/analyze.html?d=strk.kbt.io
>>
>> --
>> Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1633#comment:6>
>> OSGeo <http://www.osgeo.org/>
>> OSGeo committee and general foundation issue tracker.
>> _______________________________________________
>> Sac mailing list
>> Sac at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/sac
>>
>
> I agree we should try to solve what's wrong with the current
> certificate. Long term a plan to transition to something else would be
> fine, but it needs to be a planned, tested and scheduled roll out with
> maintenance documented if automated renewals need to be coded.

I think that the C rating comes from the supported (or rather not
supported) protocol versions, not the certificate.  A new certificate
with the same config may have the same results.

>

Quality check:

 https://www.ssllabs.com/ssltest/analyze.html?d=svn.osgeo.org

 --> Overall Rating: C

>From that url: "The server supports only older protocols, but not the
current best TLS 1.2. Grade capped to C.  MORE INFO "
https://blog.qualys.com/ssllabs/2015/05/22/ssl-labs-increased-penalty-when-tls-12-is-not-supported


Eli


> Thanks,
> Alex
> _______________________________________________
> Sac mailing list
> Sac at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/sac

More information about the Sac mailing list