Mastodawn

Drew Naylor Nov 29

Taking a look at StartCOM Linux: Part 1

https://pneumanode.com/w/dgCrDuAoumHoDBKCkHHkHQ

Taking a look at StartCOM Linux: Part 1

PeerTube

mirabilos Jun 3, 2025

Remember the threads¹² about #LetsEncrypt removing a crucial key usage from certificates issued by them in predictive obedience to their premium sponsor Google?

We were at first concerned about #SMTP. While I had lived through this problem with #StartSSL by #StartCom back in 2011, I only had a vague recollection of Jabber but recalled in detail that it broke server-to-server SMTP verification (whether the receiving server acted on it or just documented it).

Well, turns out someone now reported that it indeed breaks #XMPP entirely: https://community.letsencrypt.org/t/do-not-remove-tls-client-auth-eku/237427/66

This means that it will soon no longer be possible at all to operate Jabber (XMPP) servers because the servers use the operating system’s CA certificate bundle for verification, which generally follows the major browsers’ root stores, which has requirements from the CA/Browser forum who apparently don’t care about anything else than the webbrowser, and so no CA whose root certificate is in that store will be allowed to issue certificates suitable for Jabber/XMPP server-to-server communication while these CAs are the only ones trusted by those servers.

So, yes, Google’s requirement change is after all breaking Jabber entirely. Ein Schelm, wer Böses dabei denkt.

Update: it also breaks the connections between domain registrars and registries, with most being unaware that there even is a problem at this time, let alone the crazily short timeframe. See the thread linked to in a self-reply, which also confirms that the CA/Browser forum is supporting Google in this (possibly by means of Google paying, my interpretation).

While https://nerdcert.eu/ by @jwildeboer would in theory help, it’s not existent yet, and there’s not just the question of when it will be included in operating systems’ root CA stores but whether it will be included in them at all.

Google’s policy has no listed contact point, and the CA/B forum isn’t something mere mortals can complain to, so I’d appreciate if someone who can, and who has significant skills to argument this in English and is willing to, to bring it to them.

① mine: https://toot.mirbsd.org/@mirabilos/statuses/01JV8MDA4P895KK6F91SV7WET8
② jwildeboer’s: https://social.wildeboer.net/@jwildeboer/114516238307785904

Do NOT remove TLS Client Auth EKU!

I was also bit by this. I switched to tlsserver profile, and when my XMPP certificate got renewed today, it failed to make any S2S connections :(. I'd to revert to classic profile. Could we please keep TLS client auth EKU ? Thanks!

Let's Encrypt Community Support

Calicosine Apr 30, 2024

I think the reason why #StartCOMLinux fascinates me so much is because it's so obscure I couldn't find any #YouTube videos on it before mine, the logo is a blue and black version of the #RedHat logo, and its website that was still up in 2016 still had a mid-late 2000s style with the newest version having been released several years before and there was a preview screenshot of the next version of the Multimedia Edition but they never released that one.
1/2

#StartCOM #Linux

Calicosine Apr 29, 2024

I'm sorry I never kept the #StartCOMLinux ISO files and deleted them several years ago to save space. I checked the Internet Archive and only the Enterprise one was on there.

#LostMedia #Linux #StartCOM