> On Fri, Jan 06, 2017 at 10:48:37AM -0500, RD Thrush wrote:
> > On 01/06/17 06:28, Stuart Henderson wrote:
> > > Related to this (and particularly thinking about autoinstalls),
> > > would it make sense to allow explicit protocols in the hostname?
> > > 
> > > some.host -> https with http fallback
> > > http://some.host/ -> http only
> > > https://some.host/ -> https only, no fallback
> > 
> > That would totally work for my install problem.
> > 
> > FWIW, instead of running a patched install.sub, "rm /etc/ssl/cert.pem" 
> > makes the install bypass the https attempt.
> > 
> 
> Note, if you're upgrading or otherwise have a way to et a cert.pem bundle 
> onto there to *replace*
> the default, you could always drop the signer for your private self-signed 
> server into the cert.pem
> bundle, at which point it would be accepted as trusted. 
> 
> of course if you're just installing you have an interesting chicken and egg 
> problem, unless
> you put it somewhere on an https site that does have a real certificate, drop 
> out of the
> installer and do
> 
> ftp -o /tmp/mysigner.pem https://my.secure.site/mysigner.pem
> cat /tmp/mysigner.pem >> /etc/ssl/cert.pem
> 
> then continue the install, and you're good. 
> 
> Almost wonder if it's worth an extra question in the installer to ask
> for an https address to retrieve a certficiate bundle to be appended to 
> cert.pem
> for the install...

And we should also ask a firmware question?

Nope.  I don't think we should bend over backwards for people doing strange
things.  They are on their own.



Reply via email to