-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Option allow_ca_cert for buggy server certificates where CA=true #160
Conversation
Dear @mbacarella, thanks for your PR. But to be honest, I'd really prefer to figure out which functions need to be exposed so you can in your application / library write such an authenticator yourself. Adding more and more arguments to I know back in the days, there was Reading a bit more on other TLS implementations, they usually provide a verify_callback. I guess from ocaml-x509 we could provide the building blocks for such a verification (of course, providing chain_of_trust and fingerprint authenticator as currently done). Would that work for you? |
I can appreciate your concern. So, I took a crack at writing an authenticator by copy/pasting code from This is as far as I got: Basically, I was a little anxious about having that much code duplicated with no easy way of being looped in to future improvements to upstream. But also it doesn't even work since not enough is exposed. The Shifting gears, what do you have in mind with a |
To provide some useful functions/building blocks to do the certificate authentication yourself. This requires some design for having a composable set of things of what is needed / useful in the real world -- otherwise it'll be rather clunky. |
Looking back to your original issue -- AFAICT the situation is that the default configuration of that service generates a private key and self-signed CA certificate. The latter is use for the TLS endpoint by default. Now, for validation we use the very same certificate as trust anchor and verify the server-provided certificate -- which is the identical one. Since the very special case is that it is a self-signed certificate, I'm thinking that we could allow it, independent of the Would you mind to try out whether #161 suits your needs? |
Wow, yes, #161 solves it nicely! Thank you. Sorry for not being competent enough in TLS certificate stuff to understand what the underlying problem was all along. |
@mbacarella please don't be sorry. I'm glad that solves the issue for you, and thanks for working on patches to make it work for you :) |
superseeded by #161 |
See the PR at mirleft/ocaml-tls#466 for more information.