Date: Tue, 27 Mar 2018 08:49:55 -0700 From: Conrad Meyer <cem@freebsd.org> To: "Rodney W. Grimes" <rgrimes@freebsd.org> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers <src-committers@freebsd.org> Subject: Re: svn commit: r331618 - head/share/man/man7 Message-ID: <CAG6CVpX3ieWWxA4eGEh_6kEq0Vpy3__a_GcyrZc7v-JcFodX=w@mail.gmail.com> In-Reply-To: <201803271541.w2RFf2YM052688@pdx.rh.CN85.dnsmgr.net> References: <CAG6CVpWf5Vkz_ACsAOrzuPR9-4z8hR6ATxnePKpMuP_jLkvVRA@mail.gmail.com> <201803271541.w2RFf2YM052688@pdx.rh.CN85.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 27, 2018 at 8:41 AM, Rodney W. Grimes <freebsd@pdx.rh.cn85.dnsmgr.net> wrote: > Without the private part of the TLS they can not alter that data, > correct? Correct =E2=80=94 a property typically referred to as "integrity." (Well, obviously they can truncate streams with RST, but that isn't very subtle to any client.) > I know there are TLS intercepts, but they require you to get the > client to accept an alternate cert to proxy the connection. Yep. Without a CA trust database, clients cannot distinguish valid certifications from invalid ones. >> P.S., we should probably ship a CA database in base. Maybe with an >> override version in ports to match our release model. But, base >> should be able to authenticate certificates out of the box. > > I believe there is a group of people working on that issue > some place, or at least I recall seeing it as an adgenda item. There was some contention even having the port install somewhere base SSL libraries could access it. We've made that change, though there is a non-default port option to turn it off. I too have seen it on Core's agenda for months, without any outward visible progress. Best, Conrad
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG6CVpX3ieWWxA4eGEh_6kEq0Vpy3__a_GcyrZc7v-JcFodX=w>