New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
now we can request 3 year ssl
Got one
You may want to set up OCSP stapling since their revocation server is in China which may add considerable latency to your web sites.
perhaps it will have 39 months wildcard SSL, lol
Same i'm grabbing 3yr SSLs
Well my macbook retina not recognize this kind of SSL. So useless. Well. I should buy 4USD comodo ssl , and be happy.
I have no problems browsing my website on Mac OS, but I'm not using MacBook thought.
Can you confirm if this site works for you or not? https://comxyz.com/
How do you guys making stapling succeed with the new 3 yr English issued certs which use this cert as intermediate? Tried many certificates but stapling never succeeds.
Edit: Okay, it seems that problem is with WoSign's stapling server, you can get it working like that.
I've successfully implemented wosign ssl for nginx, but fail for webmin.
Please help me, how to use wosign ssl certificate for webmin?
Thanks
Also having OCSP stapling problem, perhaps just their server but hey at least its working and free
If you're using nginx, do what he says. Works very well.
update: it works! but still questioning the cron job period, every hour ?
update2: all other browser works fine except firefox error: The OCSP server has no status for the certificate. (Error code: sec_error_ocsp_unknown_cert)
Lighttpd for example doesn't support OCSP at all, so a fine way of dealing with any OCSP problem is to just stop caring about OCSP.
Do you know if IIS has anything to do with OCSP @rm_ ?
OCSP staping is great regardless of your CA. Saves a request / round trip
You can test if its enabled with openssl.
openssl s_client -connect www.x4b.net:443 -tls1 -tlsextdebug -status | grep "OCSP response"Not stapled:
OCSP response: no response sentStapled:
OCSP response:read this http://unmitigatedrisk.com/?p=95
Well, I set it to every hour, it's not a long process after all.
In my opinion OCSP stapling is very useful and should always be enabled. For WoSign certificates it is extra useful, because:
Other big CAs have their OCSP servers on a CDN, so the latency for your visitors will be ok. WoSign only has OCSP servers in China, so before establishing the SSL/TLS connection Firefox will have to wait for the OCSP response from China in order to proceed. This takes ages...
Since Firefox always queries the OCSP server to check whether the certificate was revoked, without OCSP stapling configured on your server your visitors will automatically send their IP and the Hostname they are visiting to "the Chinese™".
On checkmyping.com I have successfully configured OCSP stapling with a WoSIgn certificate, see SSLlabs: https://www.ssllabs.com/ssltest/analyze.html?d=checkmyping.com
The nginx config looks like this:
For me there was no need for additional configuration with a cronjob updating a static file... The tricky part was the ssl_trusted_certificate directive: For ssl_certificate you should use only use your certificate, WoSign CA Free SSL Certificate G2 and Certification Authority of WoSign. In order to have OCSP stapling working we need the ssl_trusted_certificate directive which points to all four certificates: the ones mentioned above and additionally the StartCom Certification Authority. Another thing is that it might take a day after creating the certificate until the OCSP servers know about it.
On http://certificate.revocationcheck.com/ there is a really nice website for a very detailed analysis of the revocation status with CRL lists and OCSP data. But right now it seems to have hit its Google AppEngine limit with the notice "Oops, we have exceeded our resource quota!".
@cidero Do you mean this one http://www.startssl.com/certs/sub.class1.server.ca.pem with StartCom Certification Authority?
Currently the error in nginx's log is:
OCSP responder prematurely closed connection while requesting certificate status, responder: ocsp6.wosign.com@IceCream: I usually just search for the hash shown in the ssllabs trust chain. So you can either use https://ssl-tools.net/certificates/a3f1333fe242bfcfc5d14e8f394298406810d1a0.pem (sha256) or https://ssl-tools.net/certificates/3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f.pem (sha1)
while use the ssl_trusted_certificate, nginx still have errors in log
OCSP responder prematurely closed connection while requesting certificate status, responder: ocsp6.wosign.comor
OCSP responder sent invalid "Content-Type" header: "text/html" while requesting certificate status, responder: ocsp6.wosign.comi considering dumping OCSP Stapling on this, if you run personal site or small blog its not really necessary (more secure but BIT slower your site). If you running business or production site then you should not using this free ssl. Simple.
Why?
and why big company invest to use green ev ssl for huge amount of money? trust is another reason besides security
And if you don't use EV SSL, or if you're not the real company to use EV SSL, then why?
just saying, i know nothing jon snow
They still are offering the english version of their ssl?
yes, 1/2/3 years, sha1/sha256, english/chinese, all can be selected now
Still getting
OCSP responder prematurely closed connection while requesting certificate status, responder: ocsp6.wosign.com.Got one, now trying to install it