[Cryptech Tech] Some problems with the repo access
Rob Austein
sra at hactrn.net
Fri Feb 14 15:46:46 UTC 2014
At Fri, 14 Feb 2014 15:52:43 +0100, Jakob Schlyter wrote:
>
> If cryptech.is actually sends the CA certificate in the TLS
> handshake, I believe it does, I would go for a SHA-256 of the CA
> public key (2 1 1) in order to keep the DNS response packet size
> sane.
openssl s_client shows only EE certificate for both SMTP and HTTPS.
It may be possible to configure Postfix and Apache to change this, but
I'm not convinced it's worth a lot of effort: even with gratuitous
signatures in the Authority and Additional sections, the signed
response to a query for the TLSA is only 1659 octets. Which might be
a problem for users trapped behind broken firewalls, but anyone using
DNSSEC behind such a firewall is probably in trouble in any case.
More information about the Tech
mailing list