So, we do rotate our certs, though I thought it was monthly. We're also going through various changes of our certs, including a root cert change and a likely new G3 intermediate cert (I don't think this is live yet, but I haven't checked).
When we do change certs, we roll them out slowly to some datacenters and then others until it reaches all of them. It is likely what you're seeing is that different connections are getting different results. Do you "remember" past certs that were okayed by your users, or only just one? If you remembered all of them, you'd be in a better position. That said, you're asking your users to perform a security assessment that they are almost certainly going to do wrong. They can't know whether a cert was revoked, from a bad/rogue/compromised CA, and they just want their mail, they'll almost certainly make the wrong choice. Anyways, good luck with that. Brandon On Fri, Oct 13, 2017 at 10:48 AM, Kostya Vasilyev <kmans...@gmail.com> wrote: > Hello, > > We have an email app with a security setting to "track SSL certificate > changes". > > The app "remembers" the SSL certs it has seen for a particular server > / port, and if, when it connects, it finds that the cert has changed - > > - it flags this as an error and requires the user to decide if he/she > wants to proceed (displaying information about the "last known" and > the "new" certificates). > > This has been causing us trouble with Gmail where Google has been > changing the SSL certs about once a week, and maybe even more often > recently: the app flagging those frequent changes is seen by users as > an annoyance or a bug. > > To make this security feature less obnoxious, we've decided to > unconditionally accept any certificates issued by Google's Issuing CA > certificate (based on the hash): > > https://pki.google.com/ > > We don't "pin" this certificate since the FAQ mentions that it may > change. But until it does - and that seems to happen once a year - > using it as a "shortcut" to avoid prompting the user seems to us like > a good solution. > > Now for my actual question: > > Despite the "special case" for Google Authority G2 as the issuer, we > still got a few (just a few) complaints that our "SSL cert change" > dialog / error kept popping up. > > I'd trying to understand why that could be. > > Are there certificates currently in use by Gmail (IMAP / SMTP) which > were not issued by the *current* "G2" issuer? > > Can there be a mix of those (from by the non-current G2) + those that > are issued by the *current* G2? > > Or putting it differently - is there possibly more than one G2 issuer > cert in service at a time (and the "end" certificates issued by > those)? > > If there is, is there a published list of all current G2 certs? The > page at pki.google.com just lists one (current) and a few old and > clearly not in service (from 2014 and 2015). > > -- K > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
