[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MirageOS-devel] [opam-devel] Problem with ocaml.janestreet.com TLS cert?



On 04/18/2015 06:35 PM, Anil Madhavapeddy wrote:
> This is a broken `curl` command on base OSX.  Try switching to wget with:
> 
>     export OPAMFETCH=wget
> 
> CCing Yaron Minsky and Jeremie Diminio about the Jane Street setup -- this is
> likely a result of disabling SSLv3 due to the POODLE attack.
> 
>> FWIW, visiting the site, Chrome complains:

I don't think this is related to the problem you're seeing with curl as curl 
works fine on Debian Jessie.

>>
>> "The identity of this website has been verified by VeriSign Class 3
>> Secure Server CA - G3 but does not have public audit records.
>>
>> The site is using outdated security settings that may prevent future
>> versions of Chrome from being able to safely access it."

https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know

>>
>> and
>>
>> "Your connection to ocaml.janestreet.com is encrypted with obsolete
>> cryptography.
>>
>> The connection uses TLS 1.2.
>>
>> The connection is encrypted and authenticated using AES_128_GCM and
>> uses RSA as the key exchange mechanism."
>>

Probably complains about lack of ECDHE, but then Firefox does use ECHDE, and 
Chrome doesn't:
https://www.ssllabs.com/ssltest/analyze.html?d=ocaml.janestreet.com

Best regards,
--Edwin


_______________________________________________
MirageOS-devel mailing list
MirageOS-devel@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.