Current status

Hal Murray hmurray at megapathdsl.net
Wed Feb 13 21:27:09 UTC 2019


Thanks.

Gary said:
>> Unless somebody objects or has a better idea, I'll implement Richard
>> Laager suggestion to disable the NTS-KE server if it can't read the
>> certificate and key.
> I can't think of any other option.  Is there? 

Sure.  Run without a certificate.  That won't get very far if the client 
insists on a certificate but it might be useful for testing and is easy to 
implement.

[file for key to private key]
> I agree it is a very uncommon option.  Something to do last, if ever.
> Programs like Apache httpd...

OK, I just found the callback to get the password.

That's sufficiently complicated that I'm not going to think about it now.  If 
somebody thinks it is interesting enough, they should put it on the list.  
Maybe an issue, but Eric likes to delete those rather then use them for 
tracking long term issues.

Client certificates should go on the same list.  I will remove hints of their 
support if I encounter any.

--------

>> The API is that you give it a chain rather than just a simple cert.
>> One way to do it.  Not the most common.  OK to start with, not OK in
>> production.  Look at the Apache httpd doc to see many other ways to do it
>> (with OpenSSL).

> A lot of users are simply incapable of making their own cert chain. Fancy
> deployments need to many chains to make them practical.

You need one chain per cert.  I was expecting the chain to replace the cert so 
the bookkeeping wouldn't be any more complicated.

If I get a cert from $BIGCERTCO, what do they give me?  Does the cert need 
intermediate certs or is the cert that certifies my new cert part of the 
normal root cert collection.

If it needs intermediate cert(s), do they give me two files or one?

> What is a "chain TLS client"?

A typo.

The API I'm using  is that I give OpenSSL/server one file containing a cert 
and whatever other certs it needs to get to the root certs that the 
OpenSSL/client will be using.  One file seems simpler for everybody than two.

I'm calling that "cert and other certs" a chain.

If two files is what people want/use, we can add that.  It looks like ugly code, but I think I have found the API.  Again, I'm putting it on the back burner.  If it's important, somebody should put it on the list.


-- 
These are my opinions.  I hate spam.





More information about the devel mailing list