ftp(1) and SSL/TLS server certificate validation
Hi, CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2013/12/24 06:00:59 Modified files: usr.bin/ftp: fetch.c ftp.1 ftp_var.h main.c Log message: Add support for SSL/TLS server certificate validation, enabled by default. See the documentation for the `-S' switch. This also allows setting the preferred ciphers for the communication. Documentation bits ok'ed by jmc@, ok beck@ sthen@. This will probably break some MASTER_SITES that use https:// but have improper / unrecognized certs / CAs. Please report the offender sites so that we can fix the Makefiles. -- jca | PGP: 0x06A11494 / 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
Re: ftp(1) and SSL/TLS server certificate validation
On 2013/12/24 14:16, Jérémie Courrèges-Anglas wrote: Hi, CVSROOT: /cvs Module name: src Changes by: j...@cvs.openbsd.org2013/12/24 06:00:59 Modified files: usr.bin/ftp: fetch.c ftp.1 ftp_var.h main.c Log message: Add support for SSL/TLS server certificate validation, enabled by default. See the documentation for the `-S' switch. This also allows setting the preferred ciphers for the communication. Documentation bits ok'ed by jmc@, ok beck@ sthen@. This will probably break some MASTER_SITES that use https:// but have improper / unrecognized certs / CAs. Please report the offender sites so that we can fix the Makefiles. ..or in some cases we may want to add the CA root to cert.pem.
Re: ftp(1) and SSL/TLS server certificate validation
Stuart Henderson st...@openbsd.org writes: On 2013/12/24 14:16, Jérémie Courrèges-Anglas wrote: Hi, CVSROOT: /cvs Module name: src Changes by: j...@cvs.openbsd.org2013/12/24 06:00:59 Modified files: usr.bin/ftp: fetch.c ftp.1 ftp_var.h main.c Log message: Add support for SSL/TLS server certificate validation, enabled by default. See the documentation for the `-S' switch. This also allows setting the preferred ciphers for the communication. Documentation bits ok'ed by jmc@, ok beck@ sthen@. This will probably break some MASTER_SITES that use https:// but have improper / unrecognized certs / CAs. Please report the offender sites so that we can fix the Makefiles. ..or in some cases we may want to add the CA root to cert.pem. Oh, that too. For example my cousin Achmed also provides nice PKI software that we could include in the ports tree, but he suggested that we should first include his CA. *runs away* (https://bugzilla.mozilla.org/show_bug.cgi?id=647959) -- jca | PGP: 0x06A11494 / 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
Re: ftp(1) and SSL/TLS server certificate validation
On 2013/12/24 14:46, Jérémie Courrèges-Anglas wrote: Stuart Henderson st...@openbsd.org writes: On 2013/12/24 14:16, Jérémie Courrèges-Anglas wrote: Hi, CVSROOT: /cvs Module name: src Changes by:j...@cvs.openbsd.org2013/12/24 06:00:59 Modified files: usr.bin/ftp: fetch.c ftp.1 ftp_var.h main.c Log message: Add support for SSL/TLS server certificate validation, enabled by default. See the documentation for the `-S' switch. This also allows setting the preferred ciphers for the communication. Documentation bits ok'ed by jmc@, ok beck@ sthen@. This will probably break some MASTER_SITES that use https:// but have improper / unrecognized certs / CAs. Please report the offender sites so that we can fix the Makefiles. ..or in some cases we may want to add the CA root to cert.pem. Oh, that too. For example my cousin Achmed also provides nice PKI software that we could include in the ports tree, but he suggested that we should first include his CA. *runs away* (https://bugzilla.mozilla.org/show_bug.cgi?id=647959) I was looking for lolroot's certificate, but it looks like they're too busy, server's down..