Everyone Let's step back a bit. It seems that the situation when it comes to verifying your certificates against common commercial CAs perhaps isn't so terrible as I first though. The larger situation isn't so great. So, here's what I propose:
- We add the support to nmh for basic certificate verification (including CN/SAN matching of the server hostname). This would require you to have a certificate in the default location for your OS for OpenSSL. - This would be the default; we would have a profile entry that would fall back to simply ignoring the certificate check. - No CRL/OCSP verification would be done on the server certificate. While I would love to support TOFU, I'm afraid it's too much code at this point, since I still would like to get 1.7 out the door in a reasonable timeframe. Supporting OCSP actually isn't too much code, but I'm thinking about configuration issues, and also we'd want to cache OCSP replies; it would suck to have to deal with a single OCSP query for every TLS connection. Again, more code than I would like for 1.7. Thoughts? --Ken _______________________________________________ Nmh-workers mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/nmh-workers
