s3.amazonaws.com “certificate verification failed” errors due to crappy Verisign certs and overzealous curl policies
Seth Vargo is correct. Its not the bit length of the key which is at issue, its the signature algorithm. The entire keychain for the s3.awsamazon.com key is signed with SHA1withRSA: https://www.ssllabs.com/ssltest/analyze.html?d=s3.amazonaws.com&s=220.127.116.11&hideResults=on At issue is that the root verisign key has been marked as weak because of SHA1 and taken out of the curl bundle which is widely popular, and this issue will continue to cause more and more issues going forwards as that bundle makes it way into shipping o/s distributions and aws certification verification breaks.‘This is still happening and curl is now failing on my machine causing all sorts of fun issues (including breaking CocoaPods that are using S3 for storage).’ — @jmhodges This may be a contributory factor to the issue @nelson saw: https://nelsonslog.wordpress.com/2015/04/28/cyberduck-is-responsible-for-my-bad-ssl-certificate/ Curl’s ca-certs bundle is also used by Node: https://github.com/joyent/node/issues/8894 and doubtless many other apps and packages. Here’s a mailing list thread discussing the issue: http://curl.haxx.se/mail/archive-2014-10/0066.html — looks like the curl team aren’t too bothered about it.
(tags: curl s3 amazon aws ssl tls certs sha1 rsa key-length security cacerts)
Cassandra moving to using G1 as the default recommended GC implementation
This is a big indicator that G1 is ready for primetime. CMS has long been the go-to GC for production usage, but requires careful, complex hand-tuning — if G1 is getting to a stage where it’s just a case of giving it enough RAM, that’d be great. Also, looks like it’ll be the JDK9 default: https://twitter.com/shipilev/status/593175793255219200
(tags: cassandra tuning ops g1gc cms gc java jvm production performance memory)
ThisIsColossal now have a shop! bookmarking for some lovely gifts