I've shamelessly repurposed this older thread (as of 12 January) 2015, in which early-beta 1.4 conf's were distributed, since the 1.4 files are now in official production over at cryptostorm.ch/conf. That's a locked thread, so I'm opening this as a more freewheeling place to do fine-grained analysis of these upgraded connection configurations.
Right off the bat, I expect there's still some bugs and small errors in at least a few of these... and, much as I hate to say it, likely still an error or two in the many hundreds of HAF-compliant hostname A Records that sit behind this whole endeavour. I've done every one of those edits myself, manually, over a period of several months of intermittent effort. Despite triple-checking every one, I just know that the statistics work against us on this one: somewhere in there, an IP address is mis-mapped. It's all but inevitable. This is not a security issue; the worst-case is basically that a windows member gets unintentionally routed to a Linux instance, which won't be happy with the slight variances in the sessions they support.
Also, let me speak bluntly: I killed off any mappings to pre-heartbleed cert instances. This was a huge debate amoungst the team; I'm not really sure who is right, in terms of the differing positions. I will say this: as our cryptographic specialist I can't say the pre-heartbleed instances worried me at all (long, boring discussion to explain why). However, in an operations framework, the decoupled certificate materials were a nightmare - and that was keeping people off the network. That is, therefore, a security matter - and I pull rank to make that decision, and thus improve member security overall.
I have no doubt some folks will be connecting in coming hours and days, and having inexplicable "certificate mismatch" errors all the sudden. Those'll be pre-hb cert fingerprints running up against post-hb instances. It's going to happen. I'm sorry for the hassle, but it's got to be done. The number of folks impacted will be small, but it's still something we hate to have to do.
So please report problems, bugs, typos, etc. here. The formal academic in me would keep fiddling with these 1.4 versions essentially forever, to ensure they are bug-free. That's not practical - we have to get them into production. So, as usual, we're counting on member and community feedback to help fine-tune these into the elegant little info-sculptures they're meant to be.
And yes, if something in them sucks or is broken - I am more or less solely to blame. The nature of this sort of work is that two people tend to have a harder time than one person working alone, and three even more so. It's tedious, detail-intensive, exhausting, important work... I love it, but if there's errors you've nobody to blame but me. I apologise in advance if I did not hit the standard I set for myself in finishing these, but on balance I am happy with the work done. Indeed, the benefits of HAF compliance are... enormous.
Also... how about all those bloody limes!
- ~ pj