Bug#748740: Does not work anymore with https servers that use selfsigned certificates

Klaus Ethgen Sun, 25 May 2014 02:03:26 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Am So den 25. Mai 2014 um  8:27 schrieb Jakub Wilk:
> >To be clear, I want to _have_ the hostname verified but _not have_ the
> >certificate itself checked.
> 
> Hmm, that's an odd choice. Surely if you don't verify the peer certificate,
> then anybody capable of MiTM can just forge a certificate with any
> CN/subjectAltName they want.


That's true, but to verify the peer certificate does not help in this
situation as we have many CAs in our chain, even ones from USA or
turktrust. Only certificates checked by hand and cached (such how ssh
does it) will help in this situation. I do not trust any commercial ssl
certification instance.

Regards
   Klaus
- -- 
Klaus Ethgen                              http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16   Klaus Ethgen <[email protected]>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQGcBAEBCgAGBQJTgbE2AAoJEKZ8CrGAGfas8P4L/3HpMIuk/VoLZCV449hIgMH1
dCPD2ghgIIi794MTMjwjGIf546kriYmgVDtcalWcAx8B+UtkgPRD61v7JJrwPSp/
PYGoRBMBbhz7MHYXlZ6eFfjZlXIsrLforuLojlcaX00sWm+vIpmYZTFdHjf0f4tj
8x+vLByUQk+4W6szym6bRYRZ9OGUwheVuUtcZuds8Hpc4qpLjg3TZAkqHIt1azf5
mH73qOZ3azbYqptsdX0ObDc0YARWPiUvgTX6VekZ7Cyz4tjaWzdi8DAb8uNR/yvv
AyRqNXqmy9ehHwJyUJ0wFXNfLfDiC0TYUksAgh9BwXzlNJgtJm6+UMM+ojGaAxRP
zTAtvPYL/ZjfQLPDUq3i+CwZ9uvDxU28Q9Ctux//LEvXaCGG+Sjmkq58v5Wfsp/X
Va92gPfy6qVv3xp36KQkS7KkVcs5S/70bo+O88+uFhd3JMYvBhETdhkzHdYr2VcE
eu2dys5OGQeW/Hj/H8WNezyex7sIQw9hj3RmBwzBwQ==
=jGH9
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Bug#748740: Does not work anymore with https servers that use selfsigned certificates

Reply via email to