I’m working on renewing the certificates. The new ones should be StartSSL™ Verified, which brings a couple of advantages (valid for two years, multiple domains in one cert etc.) and a slight disadvantage (they are not free anymore).
Update: The new certificate is in place. It’s valid for 2 years and has the following fingerprints:
SHA1: A8:22:15:A3:18:3D:AF:07:43:24:9C:9E:83:95:50:AC:15:17:90:53
MD5: D4:2F:D9:5F:70:BC:FD:AA:C4:EB:8F:F5:63:10:BA:3D
A certificate will be replaced this week since it has been expired.
This is a list of fingerprints in order to make sure you know it’s safe to accept the new one:
thiessen.im:
SHA1 Fingerprint=9F:57:4E:D7:14:74:8B:99:C7:57:5D:DD:DF:79:DE:34:27:FF:61:8A
MD5 Fingerprint=93:B2:7E:AB:C2:6D:05:F0:50:20:89:9C:7B:FD:97:4B
This post will be updated once the new certificate is in place. As always, please let us know if you encounter any kind of problems.
Update: Done
A couple of certificates will be replaced today since they have been expired.
This is a list of fingerprints in order to make sure you know it’s safe to accept the new ones:
thiessen.it and im.thiessen.it:
SHA1 Fingerprint=B6:61:1A:41:6E:94:1F:11:C1:CD:53:EE:66:BB:DF:36:B9:1E:BA:01
MD5 Fingerprint=35:D0:93:20:86:89:A5:4D:FE:5F:F6:E8:7F:3F:80:B0
jabber.thiessen.it:
SHA1 Fingerprint=5D:72:1C:D2:15:5A:64:5C:73:9A:68:6A:04:4C:A0:3E:B3:BD:29:D0
MD5 Fingerprint=28:81:BD:CB:0E:68:08:1F:E9:B5:6B:1F:C2:A7:47:CB
thiessen.org:
SHA1 Fingerprint=0F:C4:17:FE:1D:CB:46:0E:39:A8:BF:69:F3:87:8D:57:4E:B8:42:EC
MD5 Fingerprint=8C:FA:B4:E8:2B:41:02:0C:61:2E:83:47:7B:7F:6A:CB
This post will be updated once the new certificates are in place. As always, please let us know if you encounter any kind of problems.
Update: The new certificates have been applied.
Not long ago we announced thiessen.org requiring C2S encryption.
We consider enabling the option for the thiessen.it domains as well and would like your opinion.
[poll id="8"]
Update: Sometime next week we will enable the option and update this post accordingly. done
Thanks for voting!
Today we enabled an option that requires client to server connections to be encrypted.
In return this means if you are talking to someone on the same server, you can be certain
there’s no unencrypted connection between you and your counterpart.
Nevertheless we encourage you to use e2e (end to end) encryption using OpenPGP, OTR and so on.
Yesterday our certificate signed by the XMPP Intermediate Certification Authority was revoked.
Supposingly it was ‘misused’ as a https certificate in order to secure the ejabberd administrationpanel as well as web-access to several MUCs. StartCom told us that wildcard-certificates issued by the XMPP ICA are not ment for (public) https usage.
This information is contrary to what is published in the Certificate Issuance HOWTO, which is based on the StartCom policy in this regard.
For the domain, provide the DNS hostname of the XMPP server. For example, if your organization is called “example.com” but your XMPP server is hosted at “im.example.com”, type “im” in the first box at the StartCom interface, type “example” in the second box, and select “com” from the dropdown list at the end of the “Domain: xmpp:” line. You can also request a wildcard certificate such as *.example.com (type “*” in the first box, type “example” in the second box, and select “com” from the dropdown list). A wildcard domain enables you to use the same certificate for multiple components (e.g., “groupchat.example.com” as well as “im.example.com”). You can even use a wildcard certificate for a domain such as “www.example.com”. NOTE: if your top-level domain is not available in the dropdown list, please send email to <mailto:certmaster@xmpp.org>.
This morning we applied for new certificates and are awaiting approval. We are sorry for the inconvenience and will update you once the certificates have been exchanged.
Update: The certificates have been exchanged successfully. Have a nice stay!
