Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposal: 在 HTTPS 证书链中仅保留 ISRG Root X1 #221

Closed
skyzh opened this issue Oct 4, 2021 · 3 comments
Closed

Proposal: 在 HTTPS 证书链中仅保留 ISRG Root X1 #221

skyzh opened this issue Oct 4, 2021 · 3 comments

Comments

@skyzh
Copy link
Member

@skyzh skyzh commented Oct 4, 2021

具体的操作方法是 https://caddyserver.com/docs/caddyfile/directives/tls 中 preferred_chains 设置成 smallest 应该就可以了。

影响范围

  • 在 9 月 30 日 DST Root CA X3 过期后依然可以使用镜像站的用户(除 Android):不受影响。
  • Android <=7 用户:将无法直接访问镜像站,需要手动在浏览器中忽略证书警告。
  • OpenSSL, GnuTLS 证书验证逻辑导致无法访问镜像站的用户:可以正常访问。
  • CA 中没有 ISRG CA 用户:依然无法访问。
@skyzh skyzh changed the title Proposal: 在 HTTPS 证书链中仅保留 ISRG Proposal: 在 HTTPS 证书链中仅保留 ISRG Root X1 Oct 4, 2021
@skyzh
Copy link
Member Author

@skyzh skyzh commented Oct 4, 2021

本月 10/14 左右 caddy 会自动续 mirrors.sjtug.sjtu.edu.cn 的证书,所以这个 Proposal 通过后将在 10/7 维护的时候应用。

Loading

@skyzh

This comment has been hidden.

@skyzh
Copy link
Member Author

@skyzh skyzh commented Oct 11, 2021

Caddy config

{
  key_type rsa4096
  preferred_chains smallest
  cert_issuer acme
}

我们将在今明两天重新签证书。

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

1 participant