On 7 Jan 2017 at 15:28, Theo de Raadt wrote: > > On Fri, Jan 06, 2017 at 10:48:37AM -0500, RD Thrush wrote: > > > On 01/06/17 06:28, Stuart Henderson wrote: > > > > Related to this (and particularly thinking about autoinstalls), > > > > would it make sense to allow explicit protocols in the hostname? > > > > > > > > some.host -> https with http fallback > > > > http://some.host/ -> http only > > > > https://some.host/ -> https only, no fallback > > > > > > That would totally work for my install problem. > > > > > > FWIW, instead of running a patched install.sub, "rm > > > /etc/ssl/cert.pem" makes the install bypass the https attempt. > > > > > > > Note, if you're upgrading or otherwise have a way to et a cert.pem > > bundle onto there to *replace* the default, you could always drop the > > signer for your private self-signed server into the cert.pem bundle, > > at which point it would be accepted as trusted. > > > > of course if you're just installing you have an interesting chicken > > and egg problem, unless you put it somewhere on an https site that > > does have a real certificate, drop out of the installer and do > > > > ftp -o /tmp/mysigner.pem https://my.secure.site/mysigner.pem > > cat /tmp/mysigner.pem >> /etc/ssl/cert.pem > > > > then continue the install, and you're good. > > > > Almost wonder if it's worth an extra question in the installer to ask > > for an https address to retrieve a certficiate bundle to be appended > > to cert.pem for the install... > > And we should also ask a firmware question? > > Nope. I don't think we should bend over backwards for people doing > strange things. They are on their own. >
Most of the time I agree with this particular attitude and it is indeed appropriate for the OP case. However, there some major networks such as various governments (or for example .mil) that do not participate in the public PKI but run their own PKI infrastructure. What effect will the installer's checks have in that environment? What workarounds would be reasonable and approriate? and does it make sense for OpenBSD to support such scenarios out-of-the-box to promote wider adoption of better software?