[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Nmh-workers] TLS certificate validation
From: |
Ken Hornstein |
Subject: |
Re: [Nmh-workers] TLS certificate validation |
Date: |
Sun, 25 Sep 2016 22:07:36 -0400 |
Everyone
Let's step back a bit. It seems that the situation when it comes to
verifying your certificates against common commercial CAs perhaps isn't
so terrible as I first though. The larger situation isn't so great.
So, here's what I propose:
- We add the support to nmh for basic certificate verification (including
CN/SAN matching of the server hostname). This would require you to have
a certificate in the default location for your OS for OpenSSL.
- This would be the default; we would have a profile entry that would fall
back to simply ignoring the certificate check.
- No CRL/OCSP verification would be done on the server certificate.
While I would love to support TOFU, I'm afraid it's too much code at
this point, since I still would like to get 1.7 out the door in a
reasonable timeframe. Supporting OCSP actually isn't too much code, but
I'm thinking about configuration issues, and also we'd want to cache
OCSP replies; it would suck to have to deal with a single OCSP query for
every TLS connection. Again, more code than I would like for 1.7.
Thoughts?
--Ken
- Re: [Nmh-workers] TLS certificate validation, (continued)
- Re: [Nmh-workers] TLS certificate validation, David Levine, 2016/09/24
- Re: [Nmh-workers] TLS certificate validation, Ralph Corderoy, 2016/09/24
- Re: [Nmh-workers] TLS certificate validation, Jeffrey Honig, 2016/09/24
- Re: [Nmh-workers] TLS certificate validation, Ken Hornstein, 2016/09/24
- Re: [Nmh-workers] TLS certificate validation, Jeffrey Honig, 2016/09/25
- Re: [Nmh-workers] TLS certificate validation, Ralph Corderoy, 2016/09/25
- Re: [Nmh-workers] TLS certificate validation, Jeffrey Honig, 2016/09/25
- Re: [Nmh-workers] TLS certificate validation, Ralph Corderoy, 2016/09/25
- Re: [Nmh-workers] TLS certificate validation,
Ken Hornstein <=
- Re: [Nmh-workers] TLS certificate validation, Jeffrey Honig, 2016/09/25
- Re: [Nmh-workers] TLS certificate validation, Ken Hornstein, 2016/09/25
- Re: [Nmh-workers] TLS certificate validation, Jeffrey Honig, 2016/09/25
Re: [Nmh-workers] TLS certificate validation, Valdis . Kletnieks, 2016/09/24
Re: [Nmh-workers] TLS certificate validation, Lyndon Nerenberg, 2016/09/26