Re: Is Permanently Accept SSL Certificate gone in 1.10.4 ?

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Fri, 19 Jul 2019 21:52:32 +0000

Stefan Sperling wrote on Fri, 19 Jul 2019 18:45 +00:00:
> It looks like the interactive prompt omits an option to save the cert
> if it sees a certificate failure of class 'other' from the above list.
> I am not sure why this decision was made but that's what the current
> code seems to do.

The rationale is that if we don't know what the failure reason _is_, we
don't know whether it's safe to ignore it permanently. In other words,
it only offers "permanently" if the failure bits are all whitelisted.

The downside is that there's no easy way for a user to say "I know what
I'm doing, and I _do_ want to ignore this permanently; make it so", such
as a utility that takes a PEM form certificate (on, say, stdin) and
marks it as permanently trusted.

> So I suspect your SSL cert is failing for some reason
> other than unknown-ca, cn-mismatch, expired, not-yet-valid.
Received on 2019-07-19 23:52:46 CEST

This message: [ Message body ]
Next message: Stefan Sperling: "Re: Is Permanently Accept SSL Certificate gone in 1.10.4 ?"
Previous message: Stefan Sperling: "Re: Is Permanently Accept SSL Certificate gone in 1.10.4 ?"
In reply to: Stefan Sperling: "Re: Is Permanently Accept SSL Certificate gone in 1.10.4 ?"
Next in thread: Stefan Sperling: "Re: Is Permanently Accept SSL Certificate gone in 1.10.4 ?"
Reply: Stefan Sperling: "Re: Is Permanently Accept SSL Certificate gone in 1.10.4 ?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]