Hi

It's a crazy world when it comes to self signed certs.

You have at least 5 OS's you need to consider (MS, Linux/FBSD, OS-X, I-OS, Android). You need to think about both browsers and mail clients. Each of those come from a half dozen sources on each platform. Then you have configuration options on each. That's a lot of combinations.

Each combo seems to have a different idea of what not to do when they see a self signed cert. If you want to be able to handle all of them, even "real" certs may have issues. There are indeed several common combo's that are a major pain with a self signed cert.

No, I didn't write any of the code with the problems in it. I also don't want to get into the details of what and where. This really isn't the forum for that sort of thing. I'm not out to bash any particular solution, only to point out that there are indeed issues.

Bob

On Oct 15, 2010, at 3:00 PM, Jason Rabel wrote:

On 10/16/2010 12:08 AM, Bob Camp wrote:

Do handle part of the mess, we have setup our local root cert at the
computer club, and then sign our server certs to that. I did a major
overhaul on the infrastructure for that. It is still not "real" safety
routines, but ah well. We provide a cert download which quickly solves
the cert issue with most browser.

Seems to work for our myriad of server and client OSes and clients.

There is various ways to get "real" root certs, but depending on degree
of uhm... safety... it may be argued of their capabilities. There is
efforts to build a chain of trust for a stable free root cert, but it is
so far nog included in any major browsers.

Essentially it's a mess. I'm only scratched the surface here.

Cheers,
Magnus

Hi

The issue is as much defective software as anything else. There simply aren't enough self signed situations out there to drive a problem up their solution list.

The gotcha is the good old "but my software works with everything else". May be easy to get around that with the technically inclined. Not so much when the customer is mom.....

Bob

On Oct 15, 2010, at 7:00 PM, Magnus Danielson wrote:

bJason Rabel said the following on 10/15/2010 03:00 PM:

And that's what the old cert was.  I will create a new one as soon as I
get a chance (I'm traveling for a couple of days so it may be a bit).

I thought the last time I gen'd the cert it was for 10 years, but it's
possible that a software update may have resulted in creating a new one
with the default 1-year lifetime.

John

Hi

One example of self signed issues:

Oct 15 19:57:16 vps postfix/smtpd[24030]: disconnect from localhost.localdomain[127.0.0.1]
Oct 15 19:57:16 vps amavis[20436]: (20436-10) Passed CLEAN, [173.163.57.9] [173.163.57.9] lists@rtty.us -> jra@febo.com, Message-ID: D196153F-7F6B-4E3D-B9CE-DD43176D5AF7@rtty.us, mail_id: giFaXckeIyKN, Hits: 0, size: 4061, queued_as: 1075AB3B0046, 589 ms
Oct 15 19:57:16 vps postfix/lmtp[24019]: 4734CB3B0044: to=jra@febo.com, relay=127.0.0.1[127.0.0.1]:10024, delay=0.86, delays=0.26/0.01/0/0.59, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=20436-10, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 1075AB3B0046)
Oct 15 19:57:16 vps postfix/qmgr[23779]: 4734CB3B0044: removed
Oct 15 19:57:16 vps postfix/smtp[24031]: certificate verification failed for meow.febo.com: num=18:self signed certificate
Oct 15 19:57:21 vps postfix/smtp[24031]: 1075AB3B0046: to=jra@febo.com, relay=meow.febo.com[64.34.184.112]:25, delay=5.2, delays=0.01/0.01/0.43/4.7, dsn=2.0.0, status=sent (250 OK id=1P6u9E-00036G-Gx)
Oct 15 19:57:21 vps postfix/qmgr[23779]: 1075AB3B0046: removed

Sorry to pick on John when he can't do anything, but the timing was perfect.

Bob

Oct 15, 2010, at 7:53 PM, John Ackermann N8UR wrote:

I just received my LPRO-101 with a GPSDO control on it, from
TenMhz.com. After fiddling with getting a good placement for the GPS
antenna, so that it doesn't keep losing the satellites, I have been
attempting to discipline the oscillator for more than 24 hours.

At this point, the LED has been toggling red / green for the past 24
hours which indicates solid GPS acquisition and < 5e-8. But it isn't
locked to NIST until it turns solid green which indicates < 5e-11.

Since this is a first deployment at my location, is it reasonable
behavior for it to take longer than 24 hours to lock to NIST through
GPS? Or do you think something may be wrong with the device.

I already know by comparison to WWV that I'm within a few mHz of
being aligned, but noise in the measurements, human impatience, and
wander in the soundcard clock, prevents me knowing any better than
this. So already I'm < 5e-10. But that's about all I know until I see
it lock. (If it ever does...)

eh?

Dr. David McClain
Chief Technical Officer
Refined Audiometrics Laboratory
4391 N. Camino Ferreo
Tucson, AZ  85750

email: dbm@refined-audiometrics.com
phone: 1.520.390.3995
web: http://refined-audiometrics.com

On Oct 15, 2010, at 16:00, Magnus Danielson wrote:

Hi

Straight out of the box, an LPRO should be within <2x10^-10 after an hour on power. That's with no disciplining and just normal luck in terms of it getting banged about in shipment. That also assumes it was set properly before it was shipped.

As long as your antenna is outdoors with a good view of the sky to the south, the receiver should find enough sats to stay in timing mode all the time. In the horizontal plane the sky within +/- 30 degrees of due north is not very important for GPS. Vertically a view to within 20 degrees of the horizon is considered ok for this sort of thing.

I'd give it a bit more time, but it sounds flaky to me.

Bob

On Oct 17, 2010, at 5:55 AM, David McClain wrote:

Le 17/10/2010 11:55, David McClain a écrit :

I don't have this box or an LPRO, but if the manafacturer says 24hrs is
OK, then I guess that should be enough.  You may need to give them a
call. However am wondering if you are getting reflected path GPS
signals. You said  that you had to fiddle with the antenna placement.
Are you in an urban jungle? I have a situation where I can see
satellites at all times, but once or twice a day I am getting strong
reflected signal which is disturbing the GPS 1PPS. It is due to buidings
opposite my north facing office where the antenna sits. The issue is
seen with my TBOLT, Z3801A and  independent Oncore GPS engines all of
which are not the latest hardware.  That would cause the PLL to be
constantly chasing a moving target.

Well, not exactly an urban jungle here, but there could be multipath
off the neighbor's home... Thanks for that suggestion. I will try
moving the antenna about.

When I first deployed it, the GPS would go solid reception for a
while, and it actually claimed to lock, after only an hour or so. But
it kept losing the birds and would go back into hunt mode after about
20 minutes of lock time. I wasn't sure that I could trust the lock
indication after so short a time. And I didn't like the sporadic lock
conditions.

So I tried duct taping the antenna to the roof tiles that I could
reach and got solid GPS reception, but no lock.

The antenna is a little black hockey puck with a magnetic base. I
wonder if it would do better affixed to a metal ground plane?

First time user of a GPSDO and so I don't know what to expect. But
I'm also beginning to understand better that a GSPDO probably is more
than was warranted for the needs of a solid reference oscillator for
radios. Now that I'm learning more about Rb and GPSDO's in general, I
probably could have got by quite well with just a bare LPRO. And I am
also beginning to understand that GPSDO's don't necessarily have
internal Rb references -- looks like the T'Bird is just a really good
OCXO with a GPS discipline. And everyone is raving about T'Birds...
The LPRO has an internal Rb reference and an untamed VCXO.

Thanks for all the advice!

Dr. David McClain
Chief Technical Officer
Refined Audiometrics Laboratory
4391 N. Camino Ferreo
Tucson, AZ  85750

email: dbm@refined-audiometrics.com
phone: 1.520.390.3995
web: http://refined-audiometrics.com

On Oct 17, 2010, at 06:07, mike cook wrote: