Yes, that's right. Ryan
On Mon, Apr 12, 2021 at 4:23 PM Sage Gerard <s...@sagegerard.com> wrote: > Understood, thank you. By "trusted location," do you mean a server with a > certificate that operating systems already trust? > On 4/12/21 10:15 AM, Ryan Culpepper wrote: > > Racket does not provide a way to do that. > > You can use `openssl s_client -showcerts -connect host:port < /dev/null` > to get the server's certificate chain in PEM form (with other logs around > it). Of course, an attacker could intercept the connection and send you > their CA certificate instead. It would be safer if example.com published > their certificate in a (standardly) trusted location. > > If you do something like this, consider mitigating the danger by having > the user add the certificate to a separate location managed by your > application rather than the OS trust store. You can extend the > `ssl-default-verify-sources` parameter to point to a file containing > additional root certificates. > > Ryan > > > On Mon, Apr 12, 2021 at 3:20 PM Sage Gerard <s...@sagegerard.com> wrote: > >> When ssl-connect fails due to an untrusted certificate, this error is >> raised: >> >> ssl-connect: connect failed (error:1416F086:SSL >> routines:tls_process_server_certificate:certificate verify failed) >> >> I'd like to give the user a more helpful error, like this: >> >> Could not connect due to an untrusted certificate. In many cases, it is >> not advisable to proceed. However, if you trust the server at >> example.com, add /tmp/example.com.cert to your trusted certificates >> using this guide: <guide link> >> >> How can I get a copy of the offending certificate so that I can do this? >> >> -- >> ~slg >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Racket Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to racket-users+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/racket-users/8a55256d-71ed-b47f-5b92-c958438c5659%40sagegerard.com >> . >> > -- > ~slg > > -- > You received this message because you are subscribed to the Google Groups > "Racket Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to racket-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/8edbd1fd-715d-a730-5659-3731518c5fba%40sagegerard.com > <https://groups.google.com/d/msgid/racket-users/8edbd1fd-715d-a730-5659-3731518c5fba%40sagegerard.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/CANy33qm0ZGX4MviFJZVq9x8Ax7Cx7yW9nNTZbWu2ha2r72LPRg%40mail.gmail.com.
