[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Trusting CA certificates
Hello Ian,
On 7/11/2011 6:24 AM, Ian Patterson wrote:
> If I change the parameter 'Define CA trust list' of my Application (within
> Working with Client Applications) to 'No', will my httpapi client then
> automatically trust any valid certificates used during an httpapi session ?
By default, HTTPAPI tries to be as permissive as it can possibly be. By
default, it trusts _all_ certificates. As long as the cryptography in
the certificate is valid, it'll trust it. It even allows expired
certificates, or those that have no CA certificate installed.
You can tell it you want it to be more strict by calling the
https_strict() API. This forces it to only accept certificates that
haven't expired, and that have CA certificates installed.
You can register callbacks on the HTTP_POINT_CERT_VAL and
HTTP_POINT_GSKIT_CERT_VAL exit procedures to do even more strict
validation -- and you can get as strict as you like.
My experience is that most folks just want the connection to be
encrypted. Getting the certificate trusts working can be a big source of
frustration, so I let them enable that if they want it, but otherwise I
default to being permissive.
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------