Starting this Wednesday, October 22[1], Gandi will begin issuing SHA-2 Standard, Pro and Business SSL certificates.

As you may have heard, the SHA-1 signature algorithm is being gradually deprecated in favor of SHA-2 (including SHA256, SHA-512, and so on).

Don't panic, though. At present, it's still really hard to break a SHA-1 hash. But collision attacks against SHA-1 will only become easier, so the sooner everyone migrates, the better.

Note that if you are currently using a SHA-1 certificate or want to buy one, you will still be able to do so. We are now entering a transition period where both the algorithms are supported. SHA-1 will be supported until 1 January 2017.

The majority of certification authorities, browsers, and operating systems already support SHA-2. You may encounter compatibility problems in some cases, for example with Mozilla Firefox[2], as not all root certificates supporting SHA-2 have been added. This process is now underway for various browsers.

If you're ready to migrate to SHA-2, you have two options to choose from:

  • If you want to secure your website or application with SHA-2 only, and the issue of compatibility is not a concern, install your SHA-2-signed certificate along with the SHA-2 intermediate certificate only. This solution is the most secure, since the entire certificate chain will be SHA-2. It is a good option if you want to emphasize security over compatibility, or if you are certain that your visitors have SHA-2 enabled browsers (for example, all the employees of a company are using modern browsers to access a secure site).
  • If you want to provide SHA-2 while avoiding compatibility issues with certain browsers that have not yet updated the root certificates, you can use the intermediate certificate with SHA-2 enabled and add the cross-signed SHA-1 intermediate certificate as well. If so, the last element of the chain of trust will be SHA-1, which is not optimally secure. This option is useful during the transition period: once all relevant browsers have performed the update, you can then remove the cross-signed intermediate certificate. This option is good if you want to switch to SHA-2 without disturbing visitors whose browsers do not have updated root certificates.

Attention! New intermediate certificates, which differ from those used with plain old SHA-1, will be issued with certificates signed with SHA-2. Be sure to use the correct intermediate certificate to match the hashing algorithm used in your main certificate. You can verify the signature of the certificate with the following command:

$ openssl x509 -in example.crt -text -noout

The output will contain lines like the following, indicating the certificate is signed with SHA-1 or SHA-2, respectively.

For certificates issued with SHA-1:

Issuer: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA 

and:

Signature Algorithm: sha1WithRSAEncryption

For certificates issued with SHA-2:

Issuer: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2

and:

Signature Algorithm: sha256WithRSAEncryption

Here's an example of a valid trust chain for a SHA-2 certificate:

Certificate chain

0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=example.com

i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2

1 s:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2

i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority

2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority

i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

We have put in place some rules to ensure we deliver the right certificates for SHA-1 and SHA-2. Please be sure you review these and get the right certificates for your site or application:

Until 1 January 2016:

  • Certificates with an expiration date after 1 January 2017 will be issued as SHA-2 only, even if the CSR was generated with SHA-1.
  • Certificates with earlier expiration dates will be issued as SHA-1 if the CSR was generated with SHA-1
  • Certificates with earlier expiration dates will be issued as SHA-2 if the CSR was generated with SHA-2 (pending update)

After January 1, 2016:

  • All certificates will be issued in SHA-2, regardless of the hash specified in the CSR

Note that if you already have a certificate, you can regenerate it as SHA-2 by chosing the regenerate option and using a CSR signed with SHA-2. Remember to update the intermediate certificate on your server if you do this.

For more information, please visit our documentation:

[1] Several weeks ago, our SSL partner, Comodo, began issuing certificates in SHA-2 if the expiration date of the certificate was after January 1, 2017. This caused some confusion for customers whose issued certificates weren't signed with the signature algorithm they were expecting, and who therefore may have installed the wrong intermediate certificates, resulting in some confusion. We weren't able to update our documentation to reflect this in a timely manner, and for this we sincerely apologize. You will now find all the information you need to set up your SHA-2 certificates at the links above.

[2] You can install the root certificate manually by navigating to this URL in Firefox:

http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt


In response to the publication of a security flaw in the design of SSLv3, we have integrated TLS_FALLBACK_SCSV on our hosting platform and mailservers.

The flaw, dubbed POODLE in the announcement by the Google security team, allows a network attacker to force use of a less secure version of the protocol, making it easier to obtain the content of secure connections in plain text.

If for some reason you are not able to upgrade to a modern browser or operation system, you should take steps to protect yourself, such as disabling SSLv3 in your browser.

SSL 3.0 is already an obsolete protocol, so the vast majority of email clients will not notice any difference. However, some very old email clients, operating systems and browsers (Windows XP, IE6) may encounter issues. If you notice any problems connecting to our mailservers, please write to our support team with details.

For those interested in the technical details, there's some good reading over at Ars Technica (new window).

Note: We considered disabling SSLv3 on connections to mail.gandi.net via IMAP and POP3, but decided not to do so immediately. We will do so in the months to come, after taking steps to minimize the impact it will have on our customers' services.


As you may know, SWITCH, the Registry in charge of the .CH TLD, is ending its activities as a registrar at the end of the first 2015 trimester.

All holders of a .CH domain name will need to have chosen a new registrar by then.

Whether you're already a Gandi customer or just checking out your options, we've prepared an offer we hope you'll find appealing:

For those who have already chosen Gandi, we're lowering our prices! Renewals have dropped from $23.00 to $16.64. New registrations now cost $13.00 (previously $18.00) and transfers are free of charge. (Note that transfers do not alter the expiration date nor the DNS of the domain.)

To sweeten the deal even more, we're offering a promo code for 30% off your first renewal for all .CH domains transferred to Gandi before the end of the year, whether you're coming from SWITCH or another registrar. The promo code will appear in your account within 7 days of the transfer and will allow you to renew your domain for $11.64 instead of $16.64 until January 2015.

Still not sure we're the registrar for you? Check out all the features that come free with each domain at Gandi!

Ready to make the switch? Transferring your .CH to Gandi is simple and fast.

First, you just need to get your domain's transfer authorization code.

Once you've done that, you just need to enter the list of domains in the domain transfer form and follow the steps!


An emergency maintenance will be carried out Thursday, October 16th 2014 at 4:30PM CEST on the Gandimail platform.

This maintenance will likely cause some email mailboxes to be unavailable during this time.

Please accept our apologies for any inconvenience this emergency maintenance may cause.

 

Update :

5:55 CEST : End of the gandimail emergency maintenance


There is currently a problem with BaseKit, which GandiSite is based on.

Consequently, websites using GandiSite are offline. (SiteMaker sites are not affected.)

Our teams are in the process of investigating the problem. Updates will be provided here.

Update Wed 15 Oct 20:00 UTC (1pm PDT): Everything should be back to normal. Please let us know if you encounter any further issues.


Starting today, you can register a .cat for two years for the price of a one-year registration, which at A rates will cost you $13.00.

The promo is valid until the end of 2014.

Note: anyone can register a .CAT, but you must publish a website in the Catalan language within 6 months of registering the domain name. For more info, see the .cat info page.

 

Register a .cat?

.cat



An incident has occurred on one of our storage units in the Parisian datacenter. Our technical team is working to resolve the issue as quickly as possible.

UPDATE - 2:57 AM (UTC) : the situation should be back to normal. Feel free to contact our support if you notice anything wrong.


We just suffered a major incident at one of our facilities. A faulty processor caused the shutdown of a storage unit. 

 

As communications to the disk were interrupted, all operations (reboots, changes, etc) were suspended. 

 

We restarted the unit, and all the services have begun recovering. Operations were queed and are being executed once again. No data was lost. Everything should be returning to normal.

This incident started at 16:19 CEST (07:19 Pacific time). The system was recovered at 16:57, and all queed operations were fully resolved at 17:25 CEST (08:25 Pacific time). 


We do apologise for this interruption in service. 

 

As a reminder, you can see the status of our services here:

https://www.gandi.net/servstat 

You can also follow our twiiter feed from the Gandi Noc at @gandinoc. 

This news feed is available at: https://www.gandi.net/news 


Three more new gTLDs are entering the Sunrise phase.

The list is below, accompanied by the corresponding Sunrise, Landrush and Golive prices of a one-year registration, all at A rates:

The first one to enter GoLive is .engineer, which will become available for purchase by all at normal prices on 19 November 2014 at 9am PDT (16:00 UTC).

.auction and .software will enter GoLive on 10 December, also at 9am PDT (16:00 UTC).

 

Register a domain under one of these TLDs?:

.tld

On Tuesday, 7 October, we experienced a series of serious incidents affecting some of the storage units in our Parisian datacenter. These incidents caused two interruptions in service for some of our customers, affecting both Simple Hosting instances and IaaS servers.

The combined effect of these interruptions represents the most serious hosting outage we've had in three years.

First and foremost, we want to apologize. We understand how disruptive this was for many of you, and we want to make it right.

In accordance with our Service Level Agreement, we will be issuing compensation to those whose services were unavailable.

Here's what happened:

On Tuesday, October 7, shortly before 8:00 p.m. Paris time (11:00 a.m. PDT), a storage unit in our Parisian datacenter housing a part of the disks of our IaaS servers and Simple Hosting instances became unresponsive.

At 8:00 p.m., after ruling out the most likely causes, we made the decision to switch to the backup equipment.

At 9:00 p.m., after one hour of importing data, the operation was interrupted, leading to a lengthy investigation that resulted in eventually falling back to the original storage unit. Our team, having determined the culprit to be the caching equipment, proceeded to change the disk of the write journal.

At 2:00 a.m., the storage unit whose disk had been replaced was rebooted.

Between 3:00 and 5:30 a.m., the recovery from a 6-hour outage caused a heavy overload, both on the network level and on the storage unit itself. The storage unit became unresponsive, and we were forced to restart the VMs in waves.

At 8:30 a.m., all the VMs and instances were once again functional, with a few exceptions which were handled manually.

We inspected our other storage units that were using the same model of disk, replacing one of them as a precaution.

At 12:30 p.m., we began investigating some slight misbehavior exhibited by the storage unit whose drive we had replaced as a precaution.

At 3:50 p.m., three virtual disks and a dozen VMs became unresponsive. We investigated and identified the cause, and proceeded to update the storage unit while our engineers worked on the fix.

Unfortunately, this update caused an unexpected automatic reboot, causing another interruption for the other Simple Hosting instances and IaaS servers on that storage unit.

By 4:15 p.m., all Simple Hosting instances were functional again, but there were problems remounting IaaS disks. By 5:30 p.m., 80% of the disks were accessible again, with the rest following by 5:45 p.m.

This latter incident lasted about two hours (4:00 to 6:00 p.m.). During this time, all hosting operations (creating, starting, or stopping servers) were queued.

Due to the large number of queued operations, it took until 7:30 p.m. for all of them to complete.

These incidents have seriously impacted the quality of our service, and for this we are truly sorry. We have already begun taking steps to minimize the consequences of such incidents in the future, and are working on tools to more accurately predict the risk of such hardware failures.

We are also working on a customer-facing tool for incident tracking which will be announced in the coming days. 

Thank you for using Gandi, and please accept our sincere apologies. If you have any questions, please do not hesitate to contact us.

The Gandi team


Page 1 2 354 55 56
Change the news ticker size