Only SSL checks for *.sha2017.org #97
Comments
|
Yes, but how do we 'know' to use that (root) certificate? The whole 'just *.sha2017.org' bit of code enforces certificate validation only for the domain since we know what root CA it uses . . |
|
Is it not possible to do the same for Let's encrypt? Root certs from LE This kinda crypto is not my area of expertise, I'm justing doodling out what would be nice to see |
|
You cannot add only part of the root CAs, because you don't know which domain uses which root CA. |
|
I am thinking about a 'ssl-certs' egg/addon, which manages a path with tls certificates (/etc/tls/ ?) And then could fix the tls library to automatically load root certificates from that path. |
|
Is this still a wontfix with @basvs comments? |
|
Well . . if there is a clear path on how to do this. Code wise it should not be very hard, but I don't really see any way to do this and maintain compatibility with other things. |
|
With mbedtls_ssl_conf_verify() you can add your own callback to verify certificates. If the library then cannot verify a certificate, this method is called. We can lookup the root certificate, then search on the filesystem for a file "/etc/certificates/".md5(cert.subject) and call the mbedtls_x509_crt_verify() method again, but now with the extra root-certificate and without the callback-handler. |
Can we include Let's encrypt?
The text was updated successfully, but these errors were encountered: