What is error message if validation fails for deprecated cipher suites

Does anyone know the error message if a validation fails due to unsupported cipher suites?

I am inspired by the announcement below. Aaron Gable requested I post here

4 Likes

I'm not sure the exact error, but I think it'll be urn:ietf:params:acme:error:tls with something like tls: handshake failure

4 Likes

I see that issuance is for about 5m certs per day, so at 0.004% that suggests we'll see something like 20k new failures per day.

I have a suspicion that old versions of Windows Server (2012 and below and OSes that have been upgraded from older versions without enabling new cipher suites) will see this problem more than some operating systems. They're out of support so it's not such a big deal but it's good to have the heads up.

5 Likes

Wouldn't that be 200 ? otherwise good stuff

4 Likes

No, it’s actually a lot smaller than that because that percentage excludes DNS-01 validation. As well, that’s the current set that negotiated an RSA cipher - at least in my testing many of those servers will negotiate something else if the deprecated ciphers aren’t present, so an even smaller fraction of that will actually break.

5 Likes

A post was split to a new topic: Acme-client bad comm cert verify failed

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.