fix SSL cert #20

snarfed · 2014-01-04T22:04:57Z

evidently it's missing the intermediate chaining cert. thanks to @aaronpk for debugging!

repro and test:
openssl s_client -connect www.brid.gy:443
openssl s_client -connect brid-gy.appspot.com:443
test: https://www.ssllabs.com/ssltest/analyze.html?d=www.brid.gy&s=74.125.194.121

snarfed · 2014-01-04T22:41:09Z

i just remembered that brid.gy's SSL requires SNI. app engine supports both VIPs and SNI for SSL on custom domains, but VIPs are naturally more expensive, so i went with SNI. not sure that's the root cause here though, since s_client won't connect even with -servername:

$ openssl s_client -servername brid.gy -connect www.brid.gy:443 -showcerts
CONNECTED(00000003)
50139:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s23_lib.c:182:

background: http://blog.chrismeller.com/testing-sni-certificates-with-openssl

aaronpk · 2014-01-04T22:42:59Z

it works with -servername www.brid.gy

snarfed · 2014-01-04T22:58:56Z

yup. i'll probably just switch the source URLs to brid-gy.appspot.com.

@aaronpk

...now that seven years have passed since #20 and aaronpk/webmention.io@14 and hopefully client SNI support in server side SSL libs (notably OpenSSL) is widespread enough now. cc @aaronpk

snarfed closed this as completed in d515b09 Jan 4, 2014

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix SSL cert #20

fix SSL cert #20

snarfed commented Jan 4, 2014

snarfed commented Jan 4, 2014

aaronpk commented Jan 4, 2014

snarfed commented Jan 4, 2014

fix SSL cert #20

fix SSL cert #20

Comments

snarfed commented Jan 4, 2014

snarfed commented Jan 4, 2014

aaronpk commented Jan 4, 2014

snarfed commented Jan 4, 2014