From: Dave Taht <dave.taht@gmail.com>
To: Juliusz Chroboczek <jch@irif.fr>
Cc: "Michael Ströder" <michael@stroeder.com>, galene@lists.galene.org
Subject: [Galene] Re: Heads up: Galène generates self-signed certificates
Date: Wed, 24 Feb 2021 13:29:16 -0800 [thread overview]
Message-ID: <CAA93jw4U7wCKRyCv9WzqZTN_4SyrzFSuSARkJKPaK2EpT3K9sg@mail.gmail.com> (raw)
In-Reply-To: <87ft1lqhud.wl-jch@irif.fr>
Several notes.
I strongly agree with being able to generate a self signed cert.
Especially if you are operating a server that is off the internet,
it's difficult to get a cert via let's encrypt,
and asking folk to run the openssl command line is just asking for trouble.
The CA authority argument has always smelt of the old key escrow argument, and
I vastly prefer to not register some things with any centralized
authority and explain to potential users that's why it isn't
registered and that the "invalid cert" thing is misleading.
I however wouldn't mind if that there was a command within galene to
fire off the lets encrypt facility if a box is on the public internet
and has working dns. shell out to acme, I think....
On Wed, Feb 24, 2021 at 1:25 PM Juliusz Chroboczek <jch@irif.fr> wrote:
>
> >> If at least one of cert.pem and key.pem are present
>
> > Currently, we fall back to the self-signed certificate if either of the
> > two files is missing. Could you please describe the kind of attacks that
> > you're worried about?
>
> I've changed the behaviour in that case -- we'll fail the connection if
> only one of the two files exists.
> _______________________________________________
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org
--
"For a successful technology, reality must take precedence over public
relations, for Mother Nature cannot be fooled" - Richard Feynman
dave@taht.net <Dave Täht> CTO, TekLibre, LLC Tel: 1-831-435-0729
next prev parent reply other threads:[~2021-02-24 21:29 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-24 19:30 [Galene] " Juliusz Chroboczek
2021-02-24 19:47 ` [Galene] " Michael Ströder
2021-02-24 21:16 ` Juliusz Chroboczek
2021-02-24 21:24 ` Juliusz Chroboczek
2021-02-24 21:29 ` Dave Taht [this message]
2021-02-24 21:55 ` Toke Høiland-Jørgensen
2021-02-24 21:57 ` Michael Ströder
2021-02-24 22:25 ` Juliusz Chroboczek
2021-02-24 22:02 ` Juliusz Chroboczek
2021-02-24 21:44 ` Michael Ströder
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAA93jw4U7wCKRyCv9WzqZTN_4SyrzFSuSARkJKPaK2EpT3K9sg@mail.gmail.com \
--to=dave.taht@gmail.com \
--cc=galene@lists.galene.org \
--cc=jch@irif.fr \
--cc=michael@stroeder.com \
--subject='[Galene] Re: Heads up: Galène generates self-signed certificates' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox