[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nmh-workers] TLS certificate validation

From: Ken Hornstein
Subject: Re: [Nmh-workers] TLS certificate validation
Date: Sun, 25 Sep 2016 22:07:36 -0400


Let's step back a bit.  It seems that the situation when it comes to
verifying your certificates against common commercial CAs perhaps isn't
so terrible as I first though.  The larger situation isn't so great.
So, here's what I propose:

- We add the support to nmh for basic certificate verification (including
  CN/SAN matching of the server hostname).  This would require you to have
  a certificate in the default location for your OS for OpenSSL.
- This would be the default; we would have a profile entry that would fall
  back to simply ignoring the certificate check.
- No CRL/OCSP verification would be done on the server certificate.

While I would love to support TOFU, I'm afraid it's too much code at
this point, since I still would like to get 1.7 out the door in a
reasonable timeframe.  Supporting OCSP actually isn't too much code, but
I'm thinking about configuration issues, and also we'd want to cache
OCSP replies; it would suck to have to deal with a single OCSP query for
every TLS connection.  Again, more code than I would like for 1.7.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]