curl and certificate verification in jessie
Ian Jackson
ijackson at chiark.greenend.org.uk
Thu Dec 4 16:43:27 UTC 2014
Tollef Fog Heen writes ("Re: curl and certificate verification in jessie"):
> Ian Jackson:
> > Each time you generate an EE key which you intend to use this way,
> > also create an ad-hoc single-shot CA. Generate one EE certificate
> > using the CA, on the EE public key, and then throw the CA private key
> > away (or keep it alongside the EE private key). In clients, configure
> > the ad-hoc CA public key instead of the EE public key.
>
> Given we want those certificates to be usable by people using normal web
> browsers too, this will lead to lots of popups about untrusted CAs,
> unless we get our certificate provider to sign those CA certs for us. I
> don't think they're willing to do that.
Oh, I see. I hadn't understood you were trying to do that too.
> > This is of course all very tedious and it would be nice to fix the TLS
> > libraries. But if (as I suspect) the desired configuration is
> > (absurdly) forbidden by the standards, we might have to use this
> > workaround.
>
> This is free software. We can fix the software to DTRT if we need to.
That's true, but we might not want to carry an intrusive
security-relevant patch. I asked around on a local irc channel and am
none the wiser about the standards question.
I haven't done any code archaeology in gnutls28. I think that's the
next place to look, since no-one seems to have any better information :-/.
Ian.
More information about the Pkg-gnutls-maint
mailing list