[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Trusting CA certificates

From: "Ian Patterson" <ian@xxxxxxxxxxxxxxxxx>
To: "HTTPAPI and FTPAPI Projects" <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: Trusting CA certificates
Date: Mon, 11 Jul 2011 21:06:19 +0100

Thanks Scott,

That sums it up perfectly.

The server end of our Customers change the CA & Intermediate certs often,
but many of our users have strict change rules on their live systems which
means that alterations to the DCM on a regular basis is a pain.

I think that getting them to change the 'Trust CA List' parameter will
alleviate the continual change requirements but still have a secure system.

Regards

Ian Patterson

-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
[mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx]On Behalf Of Scott Klement
Sent: 11 July 2011 19:58
To: ftpapi@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: Trusting CA certificates

Hello Ian,

On 7/11/2011 6:24 AM, Ian Patterson wrote:
> If I change the parameter 'Define CA trust list' of my Application (within
> Working with Client Applications) to 'No', will my httpapi client then
> automatically trust any valid certificates used during an httpapi session
?

By default, HTTPAPI tries to be as permissive as it can possibly be. By
default, it trusts _all_ certificates. As long as the cryptography in
the certificate is valid, it'll trust it.  It even allows expired
certificates, or those that have no CA certificate installed.

You can tell it you want it to be more strict by calling the
https_strict() API.  This forces it to only accept certificates that
haven't expired, and that have CA certificates installed.

You can register callbacks on the HTTP_POINT_CERT_VAL and
HTTP_POINT_GSKIT_CERT_VAL exit procedures to do even more strict
validation -- and you can get as strict as you like.

My experience is that most folks just want the connection to be
encrypted. Getting the certificate trusts working can be a big source of
frustration, so I let them enable that if they want it, but otherwise I
default to being permissive.
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------

-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------

References:
- Re: Trusting CA certificates
  - From: Scott Klement

Prev by Date: RE: Versioning of LIBHTTP
Next by Date: Re: Versioning of LIBHTTP
Previous by thread: Re: Trusting CA certificates
Next by thread: Re: Antwort: RE: FTP over proxy
Index(es):
- Date
- Thread