[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Trusting CA certificates

From: Scott Klement <sk@xxxxxxxxxxxxxxxx>
To: ftpapi@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: Trusting CA certificates
Date: Mon, 11 Jul 2011 13:57:41 -0500

Hello Ian,

On 7/11/2011 6:24 AM, Ian Patterson wrote:
> If I change the parameter 'Define CA trust list' of my Application (within
> Working with Client Applications) to 'No', will my httpapi client then
> automatically trust any valid certificates used during an httpapi session ?

By default, HTTPAPI tries to be as permissive as it can possibly be. By 
default, it trusts _all_ certificates. As long as the cryptography in 
the certificate is valid, it'll trust it.  It even allows expired 
certificates, or those that have no CA certificate installed.

You can tell it you want it to be more strict by calling the 
https_strict() API.  This forces it to only accept certificates that 
haven't expired, and that have CA certificates installed.

You can register callbacks on the HTTP_POINT_CERT_VAL and 
HTTP_POINT_GSKIT_CERT_VAL exit procedures to do even more strict 
validation -- and you can get as strict as you like.

My experience is that most folks just want the connection to be 
encrypted. Getting the certificate trusts working can be a big source of 
frustration, so I let them enable that if they want it, but otherwise I 
default to being permissive.
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------

Follow-Ups:
- RE: Trusting CA certificates
  - From: Ian Patterson

References:
- Trusting CA certificates
  - From: Ian Patterson

Prev by Date: Versioning of LIBHTTP
Next by Date: Re: Versioning of LIBHTTP
Previous by thread: Trusting CA certificates
Next by thread: RE: Trusting CA certificates
Index(es):
- Date
- Thread