Everyone
Let's step back a bit. It seems that the situation when it comes to
verifying your certificates against common commercial CAs perhaps isn't
so terrible as I first though. The larger situation isn't so great.
So, here's what I propose:
- We add the support to nmh for basic certificate verification (including
CN/SAN matching of the server hostname). This would require you to have
a certificate in the default location for your OS for OpenSSL.
- This would be the default; we would have a profile entry that would fall
back to simply ignoring the certificate check.
- No CRL/OCSP verification would be done on the server certificate.
While I would love to support TOFU, I'm afraid it's too much code at
this point, since I still would like to get 1.7 out the door in a
reasonable timeframe. Supporting OCSP actually isn't too much code, but
I'm thinking about configuration issues, and also we'd want to cache
OCSP replies; it would suck to have to deal with a single OCSP query for
every TLS connection. Again, more code than I would like for 1.7.
Thoughts?
--Ken
_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
https://lists.nongnu.org/mailman/listinfo/nmh-workers