Tobias Ringstrom wrote:
> David Waite wrote:
>
>> I haven't had a chance to review the patch yet, just one overall
>> problem:
>>
>> I disagree with the removal of the ssl-ignore-* options; there have
>> been and continue to be many servers on the internet with an
>> incorrectly set hostname or expired certificate, which I have no
>> control over. If a user wants to shoot themselves in the foot, it is
>> their foot to shoot. All we can do is put warning labels on the gun,
>> bullets, and their shoes ;-)
>>
>> I even use ssl-ignore-invalid-hostname on my own repositories, and I
>> wrote both the options and the warnings.
>
>
> I thought I'd share my view of the ssl-ignore options.
>
> ssl-ignore-unknown-ca
> =====================
> Not needed anymore.
agreed.
>
> ssl-ignore-invalid-date
> =======================
> I think we should keep this one.
agreed.
>
> ssl-ignore-host-mismatch
> ========================
> This one really must die. I suggest (as I've done before) that it
> could/should be replaced with an option that accepts a particular
> hostname. The name proposed by David for such an option is
> ssl-override-cert-hostname.
agreed.
I guess I won't be the one starting sussman's war ;-)
> What do you think? I'd be happy to add the ssl-ignore-invalid-date
> back in, and also add a new ssl-override-cert-hostname option to the
> patch.
-David Waite
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Sep 11 20:02:38 2003