Articles

Tuesday, 19 July 2011 12:28

We use RapidSSL as our SSL certificate authority for our servers and recently came across problems when we renewed them; this note might be useful for others in a similar position.

A number of the SSL Certificate Authorities have moved to using new 2048 bit keys to sign certificates. The only major problem with this, is that the new key they are using isn't trusted by many existing devices, as the devices pre-date the new certificate. For operating systems (Mac/Windows etc) or software, this can be easily remedied by a patch, update or new version of the software. Those people with things like mobile phones would need a new firmware update - not something that happens overnight, if at all.

With our new RapidSSL certificate, we unknowingly switched from an existing 1024 bit CA certificate, to a new 2048 bit one; the desktop email client and web browser took it all in their stride, but not the email client on my Android phone (an HTC Desire).

Email chats with the SSL certificate supplier pointed me towards getting a Certificate Authority chain file set up on the server, so that the Android device could get the new certificates online. While technically this was the right approach, the key fact missing from the information was that the chain file had to have it's contents in a particular order.

For our RapidSSL certificate, this meant:

[RapidSSL Intermediate certificate]

[Equifax Cross Root certificate]

[Equifax Root certificate]

Drop these into a text file and then deploy them out from the Apache server using the 'SSLCACertificateFile' directive; from the Cyrus email server using the 'tls_ca_file' directive, and finally from Postfix, using the 'smtpd_tls_CAfile' directive.

With the contents of the file in the wrong order, the Android phone would complain about connecting to the secure website, and give a 'Network Error' message when talking to the mail server - useful. Sort out the file into the right order, and the messages go away.

The first two can be downloaded together (in the right order!) from here the third can be obtained from here; append the files together and make sure the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines are not joined together as one.

Add new comment

OpenSIPS 1.6.3, nathelper and Solaris 10

Sunday, 12 December 2010 09:25
Tweet We have been doing some work with our VoIP setup recently, involving getting to grips with OpenSIPS. Although the website says Solaris compatibility, many of the ways we've tried to get it working ended up with problems. Maybe this will help someone else get to a working solution quickly. Read more... Add new comment

Using Sun/Oracle JET for Standard Builds

Friday, 10 December 2010 10:21

The Sun/Oracle JET makes the process of JumpStarting Solaris boxes much easier than traditional JumpStart, and still very flexible. However, trying to set up a Standard Build environment requires investment of time and effort to get to know the toolkit, and a degree of imagination to make it do what you want it to. The 'JET Manifest Install' module helps remove some of the requirement to really get to know the inner workings of the tool and put you on the path to defining and managing a standardised build environment.