From owner-freebsd-hackers@freebsd.org Wed Nov 18 01:28:58 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E46CCA2E2B7 for ; Wed, 18 Nov 2015 01:28:58 +0000 (UTC) (envelope-from royce.williams@gmail.com) Received: from mail-ob0-x233.google.com (mail-ob0-x233.google.com [IPv6:2607:f8b0:4003:c01::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id ACF601985 for ; Wed, 18 Nov 2015 01:28:58 +0000 (UTC) (envelope-from royce.williams@gmail.com) Received: by obbbj7 with SMTP id bj7so21949219obb.1 for ; Tue, 17 Nov 2015 17:28:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=GpKYmYduaIesJW5AqAWrakRuTphWfwlvC5WM+mJdC/w=; b=0zOW2/8vVeXeBGf2/LTMiUizJSdVesfctP52kKWLhkK8ONct8ZEd0pKQvO0S9njgot T3F7xw/3K1vcU1d8Oil5r44zq1VR9UQN6vuma6vy/nNX30Arq19PVbKPxxs6dsdwMbHa zUFNem/hmV5rZExP+N5Go5CuHfZJ7yBH0r+MwpGEJCqpdhJIKkDQEYNSuD6dB1RNsGZl jZVb3sDHnSqfQ2QlVEj/9vQhMhgQrmImkwS1L3N9qJs1o5bN3fyeTHKzANXSV6cM3Am/ Ztta8O3tUY2H3tVdVrHZfpP/UHwuxXBIjC8JWi+0mZ6GvX5KQLX8h/HFTL4Wik4fCJB2 H48g== X-Received: by 10.60.155.33 with SMTP id vt1mr29420734oeb.27.1447810137876; Tue, 17 Nov 2015 17:28:57 -0800 (PST) MIME-Version: 1.0 Sender: royce.williams@gmail.com Received: by 10.202.81.85 with HTTP; Tue, 17 Nov 2015 17:28:28 -0800 (PST) In-Reply-To: References: From: Royce Williams Date: Tue, 17 Nov 2015 16:28:28 -0900 X-Google-Sender-Auth: vorlqRM0cSAuNliELpj4EYNwpao Message-ID: Subject: Re: FreeBSD forum certificates wrong somehow. To: Zaphod Beeblebrox Cc: FreeBSD Hackers Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Nov 2015 01:28:59 -0000 On Tue, Nov 17, 2015 at 4:05 PM, Zaphod Beeblebrox wrote: > I realize that I have no idea who is in the wrong --- the error is rather > opaque, but please follow: > > One of google or https everywhere (or both) directs my google searches to > https when forums.freebsd.org comes up. For some reason, I can't seem to > add an exception, but https is generally good... > > ... but firefox doesn't want to talk to https://forums.freebsd.org. So > much so, in fact, it doesn't even provide the usual "add exception for > https self-signed" ... it's just a dialog to report this nasty violation. > > ... now I realize that chrome seems to read the site just fine...but I > maintain that I'd rather not use chrome ... and really someone needs to > look at the problem... > > ... and since I don't know how to effectively complain to mozilla, I'm > starting by posting here. Firefox on what platform? I'm unable to replicate here, on Windows 7 or Linux (all I can reach at the moment). Qualys SSL Labs comes up clean for both IPv4 and IPv6: https://www.ssllabs.com/ssltest/analyze.html?d=forums.freebsd.org&s=149.20.54.209&latest https://www.ssllabs.com/ssltest/analyze.html?d=forums.freebsd.org&s=2001%3A4f8%3A3%3A36%3A0%3A0%3A0%3A209 Only unusual (not bad) thing that stands out from the results is that TLS 1.0 is not supported, which most sites haven't had the guts to do yet that I have seen. Do the forums have any load-balancing or DNS anycast stuff going on, or is forums.freebsd.org always 149.20.54.209 regardless of network standpoint? Firefox usually supplies an error code (of the form "err_ssl_version_or_cipher_mismatch" or similar). Anything like that showing up on your end? Royce