Re: self signed certificates patch

[Alberto D. <al...@ur...>]

On Sun, 5 May 2002, Alexey Mahotkin wrote:

> As far as I can tell, there are several common situation which should be
> handled by any SSL client, and some of them should have some kind of user
> option for what to do with them:
>
> - self-signed certificates;
>
> - expired certificates;
>
> - unknown CA;
>
> - maybe there's more which I don't remember now.
>
>
> Browsers commonly allow to override decisions for each particular
> situation, asking user about what to do with this: cancel or continue
> connecting.
>
> I believe that we would have to deal with this somehow earlier or later, so
> let's try to preliminarily discuss it.
>
>
> *** below goes some rough draft on that issue ***
>
> There must be some common extendable facility provinding the
> site-level/user-level SSL policy.  Each and every SSL client should consult
> this facility and act accordingly.
>
> This could be done with a couple of configuration files, something like
> /etc/ssl-policy.conf and ~/.ssl-policy.conf, containing lines like that:
>
>    self-signed-certificates: allow
>    expired-certificates: ask
>    unknown-ca: deny
>
> etc.  User-level configuration file could override the site-level
> configuration file towards more strictness.
>
>
> I think there should be some provisions for that in OpenSSL, but quick
> glance over /etc/ssl/openssl.cnf didn't uncover any.  Maybe it should be
> discussed with OpenSSL folks, cleaned up, and used consistently.
>
>
> Oh lord I remember how I was subscribed to openssl-dev.  That was pain.
> But something should be done about this.
>
>
> Your thoughts?   I do not think that any short-cuts will suffice.
>
> --alexm


I totally agree with you ! This is the right way to do it.



Alberto Dainotti
URIZEN - Internetworking & Digital Security    http://www.urizen.it
PGP Key available at: http://www.urizen.it/pgp
Key Fingerprint: 87CF D95A CE0F 3188 3950  4B1F 3B56 DE69 D05F B8F5