[Cryptech Tech] Some problems with the repo access

Rob Austein sra at hactrn.net
Fri Feb 14 15:46:46 UTC 2014


At Fri, 14 Feb 2014 15:52:43 +0100, Jakob Schlyter wrote:
> 
> If cryptech.is actually sends the CA certificate in the TLS
> handshake, I believe it does, I would go for a SHA-256 of the CA
> public key (2 1 1) in order to keep the DNS response packet size
> sane.

openssl s_client shows only EE certificate for both SMTP and HTTPS.

It may be possible to configure Postfix and Apache to change this, but
I'm not convinced it's worth a lot of effort: even with gratuitous
signatures in the Authority and Additional sections, the signed
response to a query for the TLSA is only 1659 octets.  Which might be
a problem for users trapped behind broken firewalls, but anyone using
DNSSEC behind such a firewall is probably in trouble in any case.



More information about the Tech mailing list