David Waite wrote:
> I haven't had a chance to review the patch yet, just one overall problem:
>
> I disagree with the removal of the ssl-ignore-* options; there have been
> and continue to be many servers on the internet with an incorrectly set
> hostname or expired certificate, which I have no control over. If a user
> wants to shoot themselves in the foot, it is their foot to shoot. All we
> can do is put warning labels on the gun, bullets, and their shoes ;-)
>
> I even use ssl-ignore-invalid-hostname on my own repositories, and I
> wrote both the options and the warnings.
I thought I'd share my view of the ssl-ignore options.
ssl-ignore-unknown-ca
=====================
Not needed anymore.
ssl-ignore-invalid-date
=======================
I think we should keep this one.
ssl-ignore-host-mismatch
========================
This one really must die. I suggest (as I've done before) that it
could/should be replaced with an option that accepts a particular
hostname. The name proposed by David for such an option is
ssl-override-cert-hostname.
What do you think? I'd be happy to add the ssl-ignore-invalid-date back
in, and also add a new ssl-override-cert-hostname option to the patch.
/Tobias
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Sep 11 14:18:41 2003