Re: [Nmh-workers] TLS certificate validation

[Ken Hornstein]

Everyone

Let's step back a bit.  It seems that the situation when it comes to
verifying your certificates against common commercial CAs perhaps isn't
so terrible as I first though.  The larger situation isn't so great.
So, here's what I propose:

- We add the support to nmh for basic certificate verification (including
  CN/SAN matching of the server hostname).  This would require you to have
  a certificate in the default location for your OS for OpenSSL.
- This would be the default; we would have a profile entry that would fall
  back to simply ignoring the certificate check.
- No CRL/OCSP verification would be done on the server certificate.

While I would love to support TOFU, I'm afraid it's too much code at
this point, since I still would like to get 1.7 out the door in a
reasonable timeframe.  Supporting OCSP actually isn't too much code, but
I'm thinking about configuration issues, and also we'd want to cache
OCSP replies; it would suck to have to deal with a single OCSP query for
every TLS connection.  Again, more code than I would like for 1.7.

Thoughts?

--Ken