On Wed, Jan 7, 2015 at 11:01 AM, Ludolf Holzheid < [email protected]> wrote:
I don't know your setup, but if there is no proxy involved, you don't > need the 'protocol=...' option. For certificate pinning, you'll > certainly need 'CAfile=...' or 'CApath=...', and 'verify=LEVEL' with > LEVEL not below 2 > Hmm, what do you mean by "no proxy involved?" Unless I'm modifying the source, wouldn't using stunnel essentially always be proxy? To be even more explicit, the HTTP client is cabal-install, which is a program that downloads and compiles code from the Hackage public source code repository for Haskell. cabal-install is HTTP only, whereas Hackage supports both HTTP and HTTPS. I _could_ modify cabal-install, as it is free, libre, and open source software, but for reasons both good and bad, getting the changes pushed upstream is problematic. So I was curious about finding a quick workaround for those concerned about possible MITM attacks injecting malicious code into the packages, and came up with the idea of a stunnel or nginx proxy. (Some of the people who run Hackage are working on code signing, but who knows when that'll finally be available...) Perhaps the man page would make a little bit more sense to me on this count if I had a better understanding of the TLS protocol and how it relates to https, but that's not something I honestly know all that much about. As it stands the man page is a bit opaque to me on this topic... Best, Leon
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
