On Sat, Jul 7, 2012 at 4:02 PM,  <pro...@secure-mail.biz> wrote:
> <noloa...@gmail.com> wrote:
>> You pin a certificate by whitelisting expected server certificates
>> (possibly thumbprints).
> [SNIP]
> So my original question was how do I get wget to verify the torproject.org
> fingerprint [4] without depending on root CA's? The only possible solution
> I saw was downloading the torproject.org SSL public key, run a local CA,
> sign the certificate and run wget with the --ca-certificate switch. That's why
> I posted the question "Sign public key without having CSR or private key?".
> If there are any suggestions for this situation I am all ears.
Come to think of it, you could use OpenSSL's s_client to do the
pinning, and then use wget if everything is OK. Its does set up a
small breeding ground for a TOCTOU
but I believe the risk is small.

OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to