17 September 2014, 09:35

The SHA1 algorithm will soon be considered deprecated. So, if you have an SSL certificate using this algorithm, it's time to replace it. No hurry needed, but before the end of the year will be wise. Ask your SSL certificate supplier if they offer a free renewal, because many do.

The SSL certificate used by this website was also signed via SHA1. But thanks to Chris Wadge, who donated the certificate, the Hiawatha website is now back to an A+ score.

Chris Wadge
17 September 2014, 10:12
It's also important to make sure your intermediaries aren't using SHA-1, even if you specified SHA-2 in your CSR. If you're unsure, this tool is handy: https://shaaaaaaaaaaaaa.com/
19 September 2014, 16:15
Thanks for the heads up!
Chris Wadge
22 September 2014, 05:10
Hey Hugo, just an FYI, but it looks like you may have forgotten to load the new cert on your MTA. The old one gets revoked after a reissue.
Hugo Leisink
22 September 2014, 09:00
I don't use the certificate for my MTA, only for the website. But thanks for the heads up.
Chris Wadge
23 September 2014, 07:37
Technical details of temporary failure:
Google tried to deliver your message, but it was rejected by the server for the recipient domain leisink.net by leisink.net. [].

The error that the other server returned was:
454 4.7.0 TLS not available due to local problem
Hugo Leisink
23 September 2014, 09:02
I already saw some error messages from mailservers requiring STARTTLS. Sigh, I hate SMTP...
Chris Wadge
23 September 2014, 10:06
Don't we all?