Does anyone know the error message if a validation fails due to unsupported cipher suites?
I am inspired by the announcement below. Aaron Gable requested I post here
Does anyone know the error message if a validation fails due to unsupported cipher suites?
I am inspired by the announcement below. Aaron Gable requested I post here
I'm not sure the exact error, but I think it'll be urn:ietf:params:acme:error:tls
with something like tls: handshake failure
I see that issuance is for about 5m certs per day, so at 0.004% that suggests we'll see something like 20k new failures per day.
I have a suspicion that old versions of Windows Server (2012 and below and OSes that have been upgraded from older versions without enabling new cipher suites) will see this problem more than some operating systems. They're out of support so it's not such a big deal but it's good to have the heads up.
Wouldn't that be 200 ? otherwise good stuff
No, it’s actually a lot smaller than that because that percentage excludes DNS-01 validation. As well, that’s the current set that negotiated an RSA cipher - at least in my testing many of those servers will negotiate something else if the deprecated ciphers aren’t present, so an even smaller fraction of that will actually break.
A post was split to a new topic: Acme-client bad comm cert verify failed
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.