Bug#748740: Does not work anymore with https servers that use selfsigned certificates
Klaus Ethgen
Klaus at Ethgen.de
Sun May 25 09:00:40 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Am So den 25. Mai 2014 um 8:27 schrieb Jakub Wilk:
> >To be clear, I want to _have_ the hostname verified but _not have_ the
> >certificate itself checked.
>
> Hmm, that's an odd choice. Surely if you don't verify the peer certificate,
> then anybody capable of MiTM can just forge a certificate with any
> CN/subjectAltName they want.
That's true, but to verify the peer certificate does not help in this
situation as we have many CAs in our chain, even ones from USA or
turktrust. Only certificates checked by hand and cached (such how ssh
does it) will help in this situation. I do not trust any commercial ssl
certification instance.
Regards
Klaus
- --
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus at Ethgen.de>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAEBCgAGBQJTgbE2AAoJEKZ8CrGAGfas8P4L/3HpMIuk/VoLZCV449hIgMH1
dCPD2ghgIIi794MTMjwjGIf546kriYmgVDtcalWcAx8B+UtkgPRD61v7JJrwPSp/
PYGoRBMBbhz7MHYXlZ6eFfjZlXIsrLforuLojlcaX00sWm+vIpmYZTFdHjf0f4tj
8x+vLByUQk+4W6szym6bRYRZ9OGUwheVuUtcZuds8Hpc4qpLjg3TZAkqHIt1azf5
mH73qOZ3azbYqptsdX0ObDc0YARWPiUvgTX6VekZ7Cyz4tjaWzdi8DAb8uNR/yvv
AyRqNXqmy9ehHwJyUJ0wFXNfLfDiC0TYUksAgh9BwXzlNJgtJm6+UMM+ojGaAxRP
zTAtvPYL/ZjfQLPDUq3i+CwZ9uvDxU28Q9Ctux//LEvXaCGG+Sjmkq58v5Wfsp/X
Va92gPfy6qVv3xp36KQkS7KkVcs5S/70bo+O88+uFhd3JMYvBhETdhkzHdYr2VcE
eu2dys5OGQeW/Hj/H8WNezyex7sIQw9hj3RmBwzBwQ==
=jGH9
-----END PGP SIGNATURE-----
More information about the pkg-perl-maintainers
mailing list