Re: https and self signed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Jun 15, 2016, at 7:47 AM, Jerry Geis <geisj@xxxxxxxxxxxxxxx> wrote:
> 
> Yes I can added the --insecure for curl - but - my other app doesn't
> seem to work either - perhaps getting the same return message instead of
> the actual file.

Because of all the security holes people have been finding in TLS, libraries implementing the client side of TLS are getting increasingly intolerant of risky configurations.

It’s too bad, because self-signed certificates are only unusual on the public Internet.  I wish the designers of TLS had included a flag in the cert that let it declare that it was only to be trusted on a private intranet by clients of that same intranet.

For example, instead of declaring that the given server is foo.example.com, it would be nice if you could generate a self-signed cert that declares that it is for 172.16.69.42, and that any host on 172.16.69.0/24 should trust it implicitly.

Such a cert could not be used to prove identity, prevent spoofing, or prevent MITM attacks, but it would give a way to set up encryption, which is often all you actually want.  MITM attacks could be largely prevented with certificate pinning.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux