On Fri, 14 Dec 2012, Christopher Morrow wrote:
On Fri, Dec 14, 2012 at 6:03 PM, Peter Kristolaitis <alter3d@alter3d.ca> wrote:
In my experience, free/cheap certs "not working" on some clients is, in 99.9% of cases, a misconfiguration error where the server isn't presenting the cert chain properly (usually omitting the intermediate cert), which works on some platforms (often because they include the intermediate certs to work around these kinds of problems) but not on others. Fixing the cert chain that's presented to the client has ALWAYS resolved these types of issues in my experience.
and in the case of the original topic... if the gmail servers don't accept StartSSL certs, please let me know I'll see about a fix.
Tangentially to this: any chance of supporting TLSA/DANE records for _110._tcp.domain and _995._tcp.domain? (and the IMAP equivalents). That would let people carry on using self signed certs who prefer to and let people who have a cert that chains back to a root CA assert which root CA the cert should chain back to, which would be nice in these days of diginotar and comodo hacks... -- [http://pointless.net/] [0x2ECA0975]