DNS Certification Authority Authorization (CAA) Policy / DNSSEC for whonix.org / ssllabs.com test results / OCSP ERROR: Exception: connect timed out [http://r3.o.lencr.org] / Must-Staple

Dev/About Infrastructure - Kicksecure chapter OSCP in Kicksecure wiki

Err:1 tor+https://deb.whonix.org bookworm-developers InRelease
Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. Could not handshake: Error in the certificate verification. [IP: 127.0.0.1 8082]
Reading package lists… Done
E: Failed to fetch tor+https://deb.whonix.org/dists/bookworm-developers/InRelease Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. Could not handshake: Error in the certificate verification. [IP: 127.0.0.1 8082]
E: Some index files failed to download. They have been ignored, or old ones used instead.

nginx ssl_stapling_file:

• How often ssl_stapling_file picks up an updated file?
• Re: How often ssl_stapling_file picks up an updated file?

Now hopefully fixed.

SSL_ERROR_RX_RECORD_TOO_LONG

• https://www.reddit.com/r/Whonix/comments/1fmyosz/issue_with_connecting_to_website/
• https://www.reddit.com/r/Whonix/comments/1fmexgn/whats_the_deal_with_this/

Side note:

DHE suites not supported: This server doesn’t support the Diffie-Hellman (DH) key exchange.

Since our certificate is based on ECDSA (Not RSA), we dont need DHE for PFS.

Although this owasp cheat sheet says to use DHE but it doesnt point out if you are using ECDSA vs RSA. Thus using ffdhe8192 (or lower variants) is only for backward compatibility were devices doesn’t support elliptic curve and rely on DHE (which is something against the principle of keep it safe and updated) for connection.