Re: curl and certificate verification in jessie

[Ian Jackson <ijackson@chiark.greenend.org.uk>]

Tollef Fog Heen writes ("Re: curl and certificate verification in jessie"):
> Ian Jackson:
> > Each time you generate an EE key which you intend to use this way,
> > also create an ad-hoc single-shot CA.  Generate one EE certificate
> > using the CA, on the EE public key, and then throw the CA private key
> > away (or keep it alongside the EE private key).  In clients, configure
> > the ad-hoc CA public key instead of the EE public key.
> 
> Given we want those certificates to be usable by people using normal web
> browsers too, this will lead to lots of popups about untrusted CAs,
> unless we get our certificate provider to sign those CA certs for us.  I
> don't think they're willing to do that.

Oh, I see.  I hadn't understood you were trying to do that too.

> > This is of course all very tedious and it would be nice to fix the TLS
> > libraries.  But if (as I suspect) the desired configuration is
> > (absurdly) forbidden by the standards, we might have to use this
> > workaround.
> 
> This is free software.  We can fix the software to DTRT if we need to.

That's true, but we might not want to carry an intrusive
security-relevant patch.  I asked around on a local irc channel and am
none the wiser about the standards question.

I haven't done any code archaeology in gnutls28.  I think that's the
next place to look, since no-one seems to have any better information :-/.

Ian.