| ▲ | throw20251220 14 hours ago |
| TLS certificates… SSL is some old Java anachronism. > There’s no natural signal back to the operators that the SSL certificate is getting close to expiry. There is. The not after is right there in the certificate itself. Just look at it with openssl x509 -text and set yourself up some alerts… it’s so frustrating having to refute such random bs every time when talking to clients because some guy on the internet has no idea but blogs about their own inefficiencies. Furthermore, their autorenew should have been failing loud and clear, everyone should know from metrics or logs… but nobody noticed anything. |
|
| ▲ | ronsor 13 hours ago | parent | next [-] |
| > TLS certificates… SSL is some old Java anachronism. OpenSSL is still called OpenSSL. Despite "SSL" not being the proper name anymore, people are still going to use it. By the way, TLS 1.3 is actually SSL v3.4 :) |
| |
| ▲ | throw20251220 13 hours ago | parent [-] | | [flagged] | | |
| ▲ | RijilV 12 hours ago | parent [-] | | except of course on the wire, where it's wildly a mess. TLS 1.3 version in the record header is 3.1 (that used by TLS 1.0), and later in the client version is 3.3 (that used by TLS 1.2). Neither is correct, they should be 3.4, or 4.0 or something incrementally larger than 3.1 and 3.3. This number basically corresponds to the SSL 3.x branch from which TLS descended from. There's a good website which visually explains this: https://tls13.xargs.org/#client-hello/annotated As for if someone is correct or whatever for calling out TLS 1.x as SSL 3.(x+1) IDK how much it really matters. Maybe they're correct in some nerdy way, like I could have called Solaris 3 as SunOS6 and maybe there were some artifacts in the OS to justify my feelings about that. It's certainly more proper to call things by their marketing name, but it's also interesting to note on they behave on the wire. | | |
|
|
|
| ▲ | toast0 13 hours ago | parent | prev | next [-] |
| If we're being picky, they're x.509 certificates, not TLS or SSL. |
| |
| ▲ | tialaramex an hour ago | parent | next [-] | | In this context the specific thing they are is certificates from the Web PKI. A PKI (Public Key Infrastructure) is an arrangement with Relying Parties (in this case, basically everybody), CAs (Certificate Authorities - in this case a mix of companies, not-for-profits, government and so on entities around the world) and Subscribers. The Subscriber says to a CA "I want you to certify that I'm some.website.example" and the CA issues them an X.509 certificate, which the Relying Parties trust to prove that this really is some.website.example. The Relying Parties (indirectly as we'll see shortly) ensure they trust only CAs who will do this name certifying job well. This uses Public Key encryption, which is a mathematical technology where you pick two related huge numbers, one public key (revealed to anyone who wants it) and one private (known only to you) and then you can prove you know the private key by performing arithmetic that anyone with the public key can verify is correct, and yet they could not perform that arithmetic without your private key. It is called the Web PKI because although this secures most of the Internet, the billions of Relying Parties are represented in practice almost solely by a handful of Trust Stores who mostly make Web Browsers. Specifically, Mozilla, Google, Microsoft and Apple. The Web PKI requires that the certificates are not only X.509 but specifically they obey PKIX, RFC 5280 which explains how X.509 (a standard from the X.500 directory system, a directory which in reality never ended up existing) can be used for the Internet (which very much did end up existing) via "Alternative Names". When your modern certificates have a "Subject Alternative Name" the word Alternative there means alternative to the X.500 naming scheme, which is irrelevant to us, specifically the Internet's two alternatives, an ipAddress (4 bytes or 16 bytes forming either an IPv4 or IPv6 address) or a dnsName (a subset of ASCII characters, punctuated with but never ending in a dot) Edited: Correct s/Server/Subject/ in expansion of SAN acronym | |
| ▲ | throw20251220 13 hours ago | parent | prev [-] | | Thanks for the correction. |
|
|
| ▲ | tomas789 14 hours ago | parent | prev | next [-] |
| I don’t think this is as simple as it seems. For example, we have our own CA and issue several mTLS certificates, with hundreds of them currently in use across our machines. We need to check every single one (which we don’t do yet) because there is an additional distribution step that might fail selectively. And that’s not even touching on expiring CAs, which is a total nightmare. |
| |
| ▲ | viraptor 13 hours ago | parent | next [-] | | If you have your own CA, you log every certificate with the expiry details. It's easier compared to an external CA because you automatically get the full asset list as long as you care to preserve it. | | |
| ▲ | SoftTalker 10 hours ago | parent [-] | | When I ran my own CA I issued certificates with 99-year expiry dates, and I never worried about them again. |
| |
| ▲ | throw20251220 13 hours ago | parent | prev [-] | | Why would it be difficult? You have a single CA, so a single place where certs are issued. That means there’s a single place with the knowledge of what certs are issued for which identity, how long are those valid for, and has there been a new cert issued for that identity prior to previous cert expiration. Could not be simpler, in fact. |
|
|
| ▲ | riffic 13 hours ago | parent | prev [-] |
| X.509 certificates |
| |
| ▲ | themafia 10 hours ago | parent [-] | | They specified a lot of stuff that ultimately didn't get used but ITU is still my favorite standards organization. | | |
| ▲ | tialaramex an hour ago | parent [-] | | To the extent that it can be considered an "organization" the IETF is definitely a better Standards Development Organization than the ITU. Most importantly because the IETF is for people, and I'm a person, whereas as a UN Specialized Agency the ITU is for UN Member States and I am not and will never be a UN Member State. |
|
|
