Thanks Stephen, I'll check it out.
On Wed, Oct 10, 2018 at 5:10 AM Stephen Gallagher <sgall...@redhat.com> wrote:
>
> On Tue, Oct 9, 2018 at 4:56 AM Stef Walter <swal...@redhat.com> wrote:
> >
> > On 09/10/2018 08:47, Paul Cuzner wrote:
> > > Excellent.
> > >
> > > Will this also work with self-signed, or would you simply specify
> > > validate false?
> >
> > The latter. The following for self-signed:
> >
> > { "tls": { "validate": false } }
> >
> > In particular self-signed certificates do not have anything appropriate
> > to put under "authority" in order to make them validate.
> >
>
> Tangentially related: I'd recommend using a signed certificate rather
> than a self-signed one, even in testing environments. You'd be
> surprised how often people get into the habit of doing "validate:
> false" everywhere and then get into trouble. I wrote a handy little
> tool a while ago (packaged on Fedora and EPEL) called sscg (the Simple
> Signed Certificate Generator) that will create a safe certificate for
> the same use-cases as self-signed, except that it contains a
> certificate authority you can import in your clients that will
> validate only this service.
>
> See
> https://sgallagh.wordpress.com/2016/05/02/self-signed-ssltls-certificates-why-they-are-terrible-and-a-better-alternative/
> for details on how it works and http://github.com/sgallagher/sscg for
> the source.
_______________________________________________
cockpit-devel mailing list -- cockpit-devel@lists.fedorahosted.org
To unsubscribe send an email to cockpit-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/cockpit-devel@lists.fedorahosted.org
