Re: self signed certificates patch

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

>>>>> "AD" == Alberto Dainotti <al...@ur...> writes:

 AD> Hello, what about an env variable to allow connections to servers with
 AD> self signed certificates ?  A patch is attached.

Hello,

sorry for a pause with an answer: we had long holidays here, and I was
slightly fscked up for a week, so I blissfully ignored all the activity in
development lists :) (though I've read it all!)

I have meta-question that concerns almost every SSL client :) This question
is also two-fold, with second half concerning CVS SSL client.

As far as I can tell, there are several common situation which should be
handled by any SSL client, and some of them should have some kind of user
option for what to do with them:

- self-signed certificates;

- expired certificates;

- unknown CA; 

- maybe there's more which I don't remember now.

Browsers commonly allow to override decisions for each particular
situation, asking user about what to do with this: cancel or continue
connecting.

I believe that we would have to deal with this somehow earlier or later, so
let's try to preliminarily discuss it.

*** below goes some rough draft on that issue ***

There must be some common extendable facility provinding the
site-level/user-level SSL policy.  Each and every SSL client should consult
this facility and act accordingly. 

This could be done with a couple of configuration files, something like
/etc/ssl-policy.conf and ~/.ssl-policy.conf, containing lines like that:

   self-signed-certificates: allow
   expired-certificates: ask
   unknown-ca: deny

etc.  User-level configuration file could override the site-level
configuration file towards more strictness.

I think there should be some provisions for that in OpenSSL, but quick
glance over /etc/ssl/openssl.cnf didn't uncover any.  Maybe it should be
discussed with OpenSSL folks, cleaned up, and used consistently.

Oh lord I remember how I was subscribed to openssl-dev.  That was pain.
But something should be done about this.

Your thoughts?   I do not think that any short-cuts will suffice. 

--alexm