curl and certificate verification in jessie
Ian Jackson
ijackson at chiark.greenend.org.uk
Thu Dec 4 18:48:57 UTC 2014
Daniel Kahn Gillmor writes ("Re: curl and certificate verification in jessie"):
> So, the idea is that when you "accept" an EE cert, you need to do it
> with an explicit associate to a specific peer's name, not just the cert
> itself. newer versions of GnuTLS provide this facility, but it's not
> the traditional (and potentially dangerous) "here's a package of certs
> i'm OK with" interface that it was before. And of course that interface
> isn't used by curl yet.
How about the following change to GnuTLS: if _all_ of the supplied
certificates are EE certificates (eg, have the critical CA constraint
set to false), we disable this check ?
In that situation it is clear that the caller is not trying to use the
X.509 CA infrastructure at all and has been `abusing' the CA interface
to provide the expected public keys directly.
Ian.
More information about the Pkg-gnutls-maint
mailing list