From owner-svn-src-head@freebsd.org Tue Mar 27 15:50:04 2018 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DCEE2F635E1; Tue, 27 Mar 2018 15:50:03 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: from mail-io0-f179.google.com (mail-io0-f179.google.com [209.85.223.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 779116D7B4; Tue, 27 Mar 2018 15:50:03 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: by mail-io0-f179.google.com with SMTP id d7so12777196ioc.11; Tue, 27 Mar 2018 08:50:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc:content-transfer-encoding; bh=94JsRnegbCDdQ20stDw+aoJ1CsUltrSEIdvNYRky4qY=; b=hs7B92L742g7lUEybTc9/F61YVNxL+m8eciJsXx9wJu67Pkz6EEdf6OzRUgr/wXDCq gY+FZKckwT+TJaxUSXHIOGJUy3i8oOi8+S4iyem/duesL0L5QBCyc+HDcW+y9jr8O6Ds P33N3S6ihTuzft7rMvdHM+OzibtUDC6kasP2HZ/7vSL2CG3y37tn+3uj0j29wyCiRErT zAGYQqnl8juSNINQMqn2yTmUnoFRWpWn15C7VGaN/hUBE5MAjT2LcJiQRQHKXU3s0sdN Gr4gLSfiOTjxigtDgJSvsxW6Zyiktwdp2gSXlkUUZdzfvi26BPd2YuLQ7k+vn1GI3kmb xnkA== X-Gm-Message-State: AElRT7FxHHSaG7wlUxlFGZ5oZ5GiNblLYKFqswjU9Fm68FozrCJ/bfbo wl6czIdwSZiY0E5g1ErCCmgHd4w1 X-Google-Smtp-Source: AIpwx48yKzpWH0IyXWvqz7Qo52pRNdf2HPAtYIlBOn+WVFUvEgj6O0OwwfcchugQK7vKxnE2ZJ87ww== X-Received: by 10.107.80.15 with SMTP id e15mr6049270iob.40.1522165796630; Tue, 27 Mar 2018 08:49:56 -0700 (PDT) Received: from mail-it0-f49.google.com (mail-it0-f49.google.com. [209.85.214.49]) by smtp.gmail.com with ESMTPSA id m75sm1098034iom.71.2018.03.27.08.49.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 27 Mar 2018 08:49:56 -0700 (PDT) Received: by mail-it0-f49.google.com with SMTP id y20-v6so15878685itc.5; Tue, 27 Mar 2018 08:49:55 -0700 (PDT) X-Received: by 2002:a24:e14e:: with SMTP id n75-v6mr26985508ith.58.1522165795780; Tue, 27 Mar 2018 08:49:55 -0700 (PDT) MIME-Version: 1.0 Reply-To: cem@freebsd.org Received: by 10.2.62.19 with HTTP; Tue, 27 Mar 2018 08:49:55 -0700 (PDT) In-Reply-To: <201803271541.w2RFf2YM052688@pdx.rh.CN85.dnsmgr.net> References: <201803271541.w2RFf2YM052688@pdx.rh.CN85.dnsmgr.net> From: Conrad Meyer Date: Tue, 27 Mar 2018 08:49:55 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: svn commit: r331618 - head/share/man/man7 To: "Rodney W. Grimes" Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Mar 2018 15:50:04 -0000 On Tue, Mar 27, 2018 at 8:41 AM, Rodney W. Grimes wrote: > Without the private part of the TLS they can not alter that data, > correct? Correct =E2=80=94 a property typically referred to as "integrity." (Well, obviously they can truncate streams with RST, but that isn't very subtle to any client.) > I know there are TLS intercepts, but they require you to get the > client to accept an alternate cert to proxy the connection. Yep. Without a CA trust database, clients cannot distinguish valid certifications from invalid ones. >> P.S., we should probably ship a CA database in base. Maybe with an >> override version in ports to match our release model. But, base >> should be able to authenticate certificates out of the box. > > I believe there is a group of people working on that issue > some place, or at least I recall seeing it as an adgenda item. There was some contention even having the port install somewhere base SSL libraries could access it. We've made that change, though there is a non-default port option to turn it off. I too have seen it on Core's agenda for months, without any outward visible progress. Best, Conrad