[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev Patch for SSL warning

From: David Woolley
Subject: Re: lynx-dev Patch for SSL warning
Date: Thu, 21 Nov 2002 06:49:13 +0000 (GMT)

> he said the cert is self-signed.  he would have to tell openssl that
> this signature is trusted.

Self signing the server certificate is not very sensible, but that
would be the one to install if it is self signed.  A more sensible
approach would be for them to create a self signed (i.e. root
certificate) for the whole organisation, and use that to sign the
server certificates.

> the reason for the "sudden" appearing of thes warnings might be the
> better cert checking in recent openssl implementations.  from 0.9.7 on
> they will even check revocation lists (CRLs) :)

Agreed.  This is the basis on which I'm saying disabling the warning
would be a big mistake.

> maybe it's enough to fetch the servers certificate and put it into
> local/ssl/certs?

I was suggesting installing the self-signed certificate; hopefully it
isn't the server certificate, but even if it is, that's the one to 
install.  The certificate is generally public knowledge as the server
will send it at the start of every session, but the server isn't generally
a trusted source.  (It's possible that installing the server one, even if
it isn't the self signed one, may work; I think that works on some of
the big 2, as the presence in your local certificate store implies 
ultimate trust.)

; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]