|
From: | Jeffrey Honig |
Subject: | Re: [Nmh-workers] TLS certificate validation |
Date: | Sat, 24 Sep 2016 12:43:55 -0400 |
The _code_ to do verify a certificate chain in OpenSSL is relatively
straightforward; I'm not worried about writing that. But sadly, the
configuration for all of that is lousy, and you start to see why web
browsers ship with their own set of root certificates. A brief survey
suggests to me that common open-source systems do not ship a set of
popular commercial root certificates. That would require people to get
root certificates ... and while I can imagine that SOME people, here
especially, would bother to do that, let's be honest: most people WON'T.
As we've seen, a lot of people don't use replyfilter despite it being
around for 4 years and something everyone complains about. So it would
be a fair amount of code that few people would use, and even less know
about.
[Prev in Thread] | Current Thread | [Next in Thread] |