Thanks Quentin! Sounds like its all under control.
Just wanted to bring it up in case nobody knew.
Quoth Quentin Rameau:
> > It does, but it will still make the connection. I'd rather some
> > dialog box, so that my session state won't be automatically passed
> > along to an untrusted server. Not sure the most elegant way to do
> > this - I suppose one could have a little dmenu prompt
Quoth Alexander Keller:
> > surf is not _silently_ ignoring them. If the validation fails, `sslfailed`
> > will be true and in the window title you can see a `…:U` for untrusted
> > instead of `…:T` for trusted.
>
> You're right. It does provide that feedback. My apologies. :)
It does, but it
> surf is not _silently_ ignoring them. If the validation fails, `sslfailed`
> will be true and in the window title you can see a `…:U` for untrusted
> instead of `…:T` for trusted.
You're right. It does provide that feedback. My apologies. :)
I've just been doing a bunch of digging in the TLS
Alexander Keller wrote:
> If the alternative is too much, perhaps changing
> strictssl = FALSE \* Refuse untrusted SSL connections *\
> to
> strictssl = FALSE \* Validate SSL certificates from server *\
> would help better inform what it does. My initial understanding when I
> used
> That's in the config, the user should be responsible for it.
True, it is in the config. It's also the default. If the alternative is
too much, perhaps changing
strictssl = FALSE \* Refuse untrusted SSL connections *\
to
strictssl = FALSE \* Validate SSL certificates from server
That's in the config, the user should be responsible for it.
Raiz
On 2016-10-13 00:02, Alexander Keller wrote:
I just took surf to badssl.com to test how the TLS implementation in
surf reacts. To test I took the default Arch Linux package for a ride.
It failed the test. This is because by
I just took surf to badssl.com to test how the TLS implementation in
surf reacts. To test I took the default Arch Linux package for a ride.
It failed the test. This is because by default:
static Bool strictssl = FALSE;
Without this set to TRUE, the browser effectively does not look at the
