From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) by mail.toke.dk (Postfix) with ESMTPS id D61C77F4C16 for ; Wed, 24 Feb 2021 22:29:30 +0100 (CET) Authentication-Results: mail.toke.dk; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=WrIk8b8O Received: by mail-io1-xd35.google.com with SMTP id u20so3610409iot.9 for ; Wed, 24 Feb 2021 13:29:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=M/hE4SQd79cJIeM1Ze9mrNmPX4obElhWuJClP92p3s4=; b=WrIk8b8O+4Y6OLn/DpIqcHBC4yMs2/IEnzYCntIMuHQpAd0SlxIeedQ9+FKir+bqWO iJ88gSSY/a3rIO+q1sS+BQzxoxsIONFajoFQOI3I1cM+8qXODD6rKVRC26RHYDlrnaRG oTk9im/t2NGKVaC6Pe4s0gpaDe4B8q/+1fk/VgV85Q9Gp5Y3EkzMqdntWUjbT+0IJR90 VSwGhAqPlEqKS9IXqTEynyJ643zBHczqWS3n6yp4BLlUDOTg+skh7or8ZKafrIORMr9V Nwv1T0Q95bRhe+7G661tjY5o48dEz6lwadBw78feI59eZAuGlRiNoFaI8RWl40v+HiYw Nmsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=M/hE4SQd79cJIeM1Ze9mrNmPX4obElhWuJClP92p3s4=; b=cov27AjdhjXJPsUR8uVUreDwgwEwlH5RBmRUBgUG9u31TFAhgZiumgwtMOoeLqQGxo TO+NsBHH9rRXHExh6vRCfSwK14zw2cwlo2ldjyN2aRpk+lQKfK3AxzOFpv3VoPBKWNdC 2W8RUocW/DOhyuhzSgN/Cg6mU8l3TJqsDu3IcWSi7UHwZEnFjPBOMOBzQGAVken/tldI yDWA2lE+XBHQN3HGfzMjDmYmQZ8ceGYIZ0ZonS5IDfLBJgayY80x2ulJey6x1Xawt1bY tDM3LMVWR9CXejAm10KUjehkaBQochXgUHT3BBnHVOsO29RKIOXdOoHm1HST6r63w2v9 qDKg== X-Gm-Message-State: AOAM533yfGVr26wZwQa9nYw+6GOesVPT9crZNoilLcoWA2jQeUvXTcPp ro7UIRvn4/I+hfRX/d8uvLWfH28rIUoxUoHT2tk= X-Google-Smtp-Source: ABdhPJx+4Uq/1AzfLsiYzO6aRA0Cr0GQT1RddfcuFxhfNl79qfoxWYMn0/mlefbW7qMvaUOlx857IsYUbzogqLqL7JI= X-Received: by 2002:a02:4406:: with SMTP id o6mr23564034jaa.97.1614202168137; Wed, 24 Feb 2021 13:29:28 -0800 (PST) MIME-Version: 1.0 References: <87mtvtqn5d.wl-jch@irif.fr> <9fb4bedf-0195-7515-dc54-2d225504f874@stroeder.com> <87im6hqi83.wl-jch@irif.fr> <87ft1lqhud.wl-jch@irif.fr> In-Reply-To: <87ft1lqhud.wl-jch@irif.fr> From: Dave Taht Date: Wed, 24 Feb 2021 13:29:16 -0800 Message-ID: To: Juliusz Chroboczek Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Message-ID-Hash: CKETMYJPHQMYLILG5RTUHBFXDTEAL7SU X-Message-ID-Hash: CKETMYJPHQMYLILG5RTUHBFXDTEAL7SU X-MailFrom: dave.taht@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: =?UTF-8?Q?Michael_Str=C3=B6der?= , galene@lists.galene.org X-Mailman-Version: 3.3.2 Precedence: list Subject: [Galene] =?utf-8?q?Re=3A_Heads_up=3A_Gal=C3=A8ne_generates_self-signed_certificates?= List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Several notes. I strongly agree with being able to generate a self signed cert. Especially if you are operating a server that is off the internet, it's difficult to get a cert via let's encrypt, and asking folk to run the openssl command line is just asking for trouble. The CA authority argument has always smelt of the old key escrow argument, = and I vastly prefer to not register some things with any centralized authority and explain to potential users that's why it isn't registered and that the "invalid cert" thing is misleading. I however wouldn't mind if that there was a command within galene to fire off the lets encrypt facility if a box is on the public internet and has working dns. shell out to acme, I think.... On Wed, Feb 24, 2021 at 1:25 PM Juliusz Chroboczek wrote: > > >> If at least one of cert.pem and key.pem are present > > > Currently, we fall back to the self-signed certificate if either of the > > two files is missing. Could you please describe the kind of attacks th= at > > you're worried about? > > I've changed the behaviour in that case -- we'll fail the connection if > only one of the two files exists. > _______________________________________________ > Galene mailing list -- galene@lists.galene.org > To unsubscribe send an email to galene-leave@lists.galene.org --=20 "For a successful technology, reality must take precedence over public relations, for Mother Nature cannot be fooled" - Richard Feynman dave@taht.net CTO, TekLibre, LLC Tel: 1-831-435-0729