Login

Recent searches

No recent searches

Search options

Not available on social.wildeboer.net.
social.wildeboer.net is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mastodon instance for people with Wildeboer as their last name

Administered by:

Server stats:

2
active users

social.wildeboer.net: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.6

#tls

1 post1 participant0 posts today
Public
Larvitz :fedora: :redhat:

Let's Encrypt soon starts offering TLS certificates with just 6 days of lifetime. It's just an option and the 90 day certs are also still offered but I doubt that this will add a lot of security.

letsencrypt.org/2025/01/16/6-d

Based on the number of occasions, I already had problems with the 90days renewals in the past (software bugs and human error), I see this the value in this move rather sceptical.

letsencrypt.orgAnnouncing Six Day and IP Address Certificate Options in 2025This year we will continue to pursue our commitment to improving the security of the Web PKI by introducing the option to get certificates with six-day lifetimes (“short-lived certificates”). We will also add support for IP addresses in addition to domain names. Our longer-lived certificates, which currently have a lifetime of 90 days, will continue to be available alongside our six-day offering. Subscribers will be able to opt in to short-lived certificates via a certificate profile mechanism being added to our ACME API.
#tls#letsencrypt#certificates
Public
Aral Balkan

New releases

• Kitten (rolling release)
• @small-tech/https version 5.3.2
• Auto Encrypt version 4.1.3

OCSP support has been reinstated in the server so existing sites with Let’s Encrypt certificates provisioned prior to the removal of the OCSP stapling requirement will not fail to load in Firefox.

Kitten servers in production will automatically update to this version in a few hours. You can also sign in to the Kitten settings page on your server and do a manual update to update Kitten immediately.

Thanks to @stefan and @s1r83r for bringing this to my attention. (mastodon.ar.al/@aral/113969540)

Aral’s fediverse serverAral Balkan (@aral@mastodon.ar.al)@s1r83r@pataterie.ca @stefan@gardenstate.social Thanks for the heads up, folks. So, here’s what’s happened: 1. Let’s Encrypt removed OCSP support and starting rejecting certificate requests that require OCSP stapling (a privacy feature that Kitten inherited from my Auto Encrypt module) for new server requests and will reject certificate renewal requests starting in May. 2. So I went ahead and removed the OCSP stapling requirement from the certificate requests Auto Encrypt makes to Let’s Encrypt. 3. I also removed OCSP support from the server. Makes sense, right? Sure does, until you consider what happens to servers with already-provisioned Let’s Encrypt certificates that have certificates that require OCSP stapling. (kitten.small-web.org’s certificate got renewed four days ago, before I’d released the updates.) *Doh!* 🤦‍♂️ Seems Safari and Chrom(ium) are fine with letting it pass. However, Firefox, (and correctly too, I might add), refuses to load the site. So I’m off to update Auto Encrypt to re-enable OCSP support with a note to disable it in May (by which time all certificates will have renewed anyway without the stapling requirement) and then issue new builds of @small-web/https and Kitten. Kitten servers should automatically upgrade and start working in Firefox in several hours. And you can also manually update them if you want to before then after I’ve announced the releases. Thanks again for letting me know. :kitten:💕 #Kitten #SmallWeb #AutoEncrypt #LetsEncrypt #TLS #SSL #HTTPS #OCSP
#Kitten#SmallWeb#SmallTech
Public *
Aral Balkan

New Kitten release

• Upgrades to version 5.3.1 of @small-tech/https¹ which has version 4.1.2 of Auto Encrypt² that l removes OCSP stapling (because Let’s Encrypt has removed OCSP support).

Please upgrade your Kitten as soon as possible or any new Kitten servers you try to set up will fail and any certificate renewals for existing servers will start to fail in May.

kitten.small-web.org

(To upgrade, run `kitten update`. Your production servers will update automatically.)

Enjoy!

:kitten:💕

¹ npmjs.com/package/@small-tech/
² npmjs.com/package/@small-tech/

#Kitten#SmallWeb#SmallTech
Continued thread
Public *
Aral Balkan

@small-tech/https version 5.3.0 released

• Uses Auto Encrypt 4.1.1 (removes OCSP stapling support because Let]s Encrypt has removed OCSP support).

npmjs.com/package/@small-tech/

This module is a drop in replacement for Node HTTPS module that automatically handles TLS certificate provisioning and renewal both at localhost (via Auto Encrypt Localhost¹) and at hostname (via Auto Encrypt with Let’s Encrypt certificates²).

So, this is how you create a HTTPS server in Node.js that uses this module and automatically handles TLS certificate provisioning and renewal for you both at localhost (during development) and at hostname (during production):

```js
import https from '@small-tech/https'

const server = https.createServer((request, response) => {
response.end('Hello, world!')
})

server.listen(443, () => {
console.log(' 🎉 Server running at https://localhost.')
})
```

(Yes, that’s it! I wrote a metric shit-tonne of meticulously-tested code so you don’t have to.) :)

💡 Note that the localhost certificate support via Auto Encrypt Localhost is 100% JavaScript and does NOT rely on an external binary like mkcert or certutil.

Needless to say, Kitten³ uses this module under the hood and it’s a big part of why Domain⁴ can deploy servers so easily that don’t require any day-to-day maintenance.

In case you’re wondering why I’m spending so much time releasing all these modules, it’s because I believe in sharing every brick of the house I’m building so others can easily build different houses if they want to. I’m not saying that what I’m building with Kitten, Domain, and Place⁵ will be the end all be all of the Small Web⁶ (the peer-to-peer web). And I want others to be able to experiment by building their own tools without having to go through the grueling development process I’ve had to in the past six years to build basic infrastructure.

Enjoy!

💕

¹ codeberg.org/small-tech/auto-e
² codeberg.org/small-tech/auto-e
³ kitten.small-web.org
codeberg.org/domain/app
codeberg.org/place/app
ar.al/2024/06/24/small-web-com

npm@small-tech/httpsA drop-in standard Node.js HTTPS module replacement with both automatic development-time (localhost) certificates via Auto Encrypt Localhost and automatic production certificates via Auto Encrypt.. Latest version: 5.3.0, last published: 16 minutes ago. Start using @small-tech/https in your project by running `npm i @small-tech/https`. There are 2 other projects in the npm registry using @small-tech/https.
#SmallWeb#SmallTech#AutoEncrypt
Continued thread
Public *
Aral Balkan

Auto Encrypt version 4.1.1 released

Fixed:

• User agent string now includes the correct Auto Encrypt version (and the name fragment “auto-encrypt” instead of “acme”).

• Tests now send `Connection: close` header so they’re not tripped up by the default `keep-alive` introduced in Node 19.

npmjs.com/package/@small-tech/

npm@small-tech/auto-encryptAutomatically provisions and renews Let’s Encrypt TLS certificates on Node.js https servers (including Kitten, Polka, Express.js, etc.). Latest version: 4.1.1, last published: 3 minutes ago. Start using @small-tech/auto-encrypt in your project by running `npm i @small-tech/auto-encrypt`. There are 3 other projects in the npm registry using @small-tech/auto-encrypt.
#SmallWeb#SmallTech#AutoEncrypt
Public *
Aral Balkan

Auto Encrypt version 4.1.0 released

• Removes OCSP stapling, as Let’s Encrypt is removing OCSP support.

If you’re already using Auto Encrypt upgrade before May or your certificate renewals will start to fail. Upgrade now if you want to get certificates for new domains as new certificate requests are already failing.

codeberg.org/small-tech/auto-e

Auto Encrypt automatically provisions and renews Let’s Encrypt TLS certificates on Node.js https servers (including Kitten¹, Polka, Express.js, etc.)

Regular Node.js HTTPS server (without Let’s Encrypt certificates):

```js
import https from 'node:https'
const server = https.createServer(…)
```

Auto Encrypt https server with automatic Let’s Encrypt certificates:

```js
import AutoEncrypt from '@small-tech/auto-encrypt'
const server = AutoEncrypt.https.createServer(…)
```

(Certificates are provisioned on first hit and automatically renewed 30 days before expiry.)

¹ kitten.small-web.org

Codeberg.orgauto-encryptAutomatically-provisioned TLS certificates for Node.js servers using Let’s Encrypt.
#AutoEncrypt#LetsEncrypt#TLS
Public
Aral Balkan

Just released Node Pebble version 5.1.1

• Updated to Pebble version 2.7.0.

• Now also supports macOS and arm64 (because Pebble itself does).

codeberg.org/small-tech/node-p

Node Pebble is a Node.js wrapper for Let’s Encrypt’s¹ Pebble² that:

• Downloads the correct Pebble binary for your platform.

• Launches and manages a single Pebble process.

• Returns a reference to the same process on future calls (safe to include in multiple unit tests where order of tests is undetermined)

• Automatically patches Node.js’s TLS module to accept Pebble server’s test certificate as well as its dynamically-generated root and intermediary CA certificates.

¹ letsencrypt.org

² “A miniature version of Boulder, Pebble is a small RFC 8555 ACME test server not suited for a production certificate authority.” github.com/letsencrypt/pebble

Codeberg.orgnode-pebbleA Node.js wrapper for Let’s Encrypt’s Pebble (a small RFC 8555 ACME test server not suited for a production certificate authority)
#LetsEncrypt#TLS#SSL
Public
Aral Balkan

So I guess Let’s Encrypt has decided what I’ll be working on today then…

letsencrypt.org/2024/12/05/end

(They’re ending OCSP stapling support. I’ll be updating Auto Encrypt¹ to remove OCSP support and then update @small-tech/https, which uses it, along with Auto Encrypt Localhost² to provide seamless TLS support regardless of whether you’re working in development or in production, and then update Site.js³ – deprecated but still used to serve some of our own sites at Small Technology Foundation⁴ – and Kitten⁵, with the latest @small-tech/https.)

¹ codeberg.org/small-tech/auto-e
² codeberg.org/small-tech/auto-e
³ codeberg.org/small-tech/https
small-tech.org
kitten.small-web.org

letsencrypt.orgEnding OCSP Support in 2025Earlier this year we announced our intent to provide certificate revocation information exclusively via Certificate Revocation Lists (CRLs), ending support for providing certificate revocation information via the Online Certificate Status Protocol (OCSP). Today we are providing a timeline for ending OCSP services: January 30, 2025 OCSP Must-Staple requests will fail, unless the requesting account has previously issued a certificate containing the OCSP Must Staple extension May 7, 2025 Prior to this date we will have added CRL URLs to certificates On this date we will drop OCSP URLs from certificates On this date all requests including the OCSP Must Staple extension will fail August 6, 2025 On this date we will turn off our OCSP responders Additionally, a very small percentage of our subscribers request certificates with the OCSP Must Staple Extension.
#SmallWeb#SmallTech#TLS
Public
Jan Schaumann

Looks like Russia is now blocking Cloudflare's Encrypted Client Hello traffic if:
- SNI is cloudflare-ech.com
- TLS ClientHelloOuter contains the "encrypted_client_hello" extension

github.com/net4people/bbs/issu

Russia officially recommends "owners of information resources disable the TLS ECH extension or, more correctly, use domestic CDN services".

cmu.gov.ru/ru/news/2024/11/07/

With increased ECH use, I expect certain other actors to follow suit.

GitHubBlocking of Cloudflare ECH in Russia, 2024-11-05 · Issue #417 · net4people/bbsBy wkrp
#tls#ech
Public *
ティージェーグレェ
Nice! @neverpanic@chaos.social just merged a Pull Request (specifically https://github.com/macports/macports-ports/pull/26827) that supposedly fixes building LibreSSL on some older versions of OS X?

Since my car was broken into and two laptops were stolen in August earlier this year, I no longer have the 2012 MacBook Pro I was using to test on older OS X versions.

Here's hoping the Port Health for LibreSSL improves!

(screenshot of the current Port Health for future reference attached)

#MacPorts #LibreSSL #TLS #macOS #OSX #OpenSSL #OpenSource
Screenshot of a web browser with https://ports.macports.org/port/libressl/details/ loaded. Of particular note: OS X versions Snow Leopard through High Sierra have red Xs next to them indicating build problems on those versions of OS X.
Public *
erstwhile

... Well done BoM .. as a Federal Australian Govt. funded service, it's only taken you 15 years to achieve what is the standard for 99% of legitimate internet facing webpages, (even then, just a "Beta" web site) that are capable of delivering weather information to Australians, that use .. *gasp!* ... transport layer security ...

* Slow Clap * and a belated welcome to the rest of the internet...

My private suspicion is that that cyber.gov.au finally beat them over the head with the "Essential 8" stick ... as opposed to just showing them it exists.

Self advertisement on bom.gov.au asking if we're https ready . . for their Beta site.
#BOM#BureauOfMeteorology#Weather
Continued thread
Public *
Pixelcode 🇺🇦

#DNSSEC and #DANE should not replace the established #TLS certificate authority system, because it would undermine end-to-end encryption between client and server, but I do believe that DNSSEC/DANE serve a legitimate role: preventing #DNS spoofing by third parties, i.e. proving that a DNS record really comes from the correct name server.

And in order to keep DNS requests private, DoH/DoT/DoQ should be the default.

Public
Pixelcode 🇺🇦

I don't fully understand #DNSSEC criticism yet: A major argument against it is that it's a “government-controlled PKI” and that, for example, “Gaddafi would have controlled bit.ly’s TLS keys if it had been deployed earlier”.

But isn't that a strawman? If a bad actor controls DNSSEC, they control all the other #DNS records too, i.e. the government can always point domains wherever they like and obtain valid #TLS certificates. The Taliban closed down queer.af completely without DNSSEC.

Public
Kim Crawley (she/her) 😷🍉

"Your certificates and encryption are only as good as your public key infrastructure (PKI). I could have the strongest mechanical lock on my front door. But if I leave my key where burglars can find it, it won’t be good at all.

So it’s absolutely crucial that you deploy, implement, and configure your PKI the right way, and avoid these very costly yet common mistakes."

This is new to my personal blog, even if it's not actually new. Please share. ❤

#tls #infosec

medium.com/@kim_crawley/8-ways

Medium · 8 ways you’re doing PKI wrong - Kim Crawley - MediumBy Kim Crawley
ExploreLive feeds
About