svn commit: r331618 - head/share/man/man7
Conrad Meyer
cem at freebsd.org
Tue Mar 27 15:50:04 UTC 2018
On Tue, Mar 27, 2018 at 8:41 AM, Rodney W. Grimes
<freebsd at pdx.rh.cn85.dnsmgr.net> wrote:
> Without the private part of the TLS they can not alter that data,
> correct?
Correct — a property typically referred to as "integrity." (Well,
obviously they can truncate streams with RST, but that isn't very
subtle to any client.)
> I know there are TLS intercepts, but they require you to get the
> client to accept an alternate cert to proxy the connection.
Yep. Without a CA trust database, clients cannot distinguish valid
certifications from invalid ones.
>> P.S., we should probably ship a CA database in base. Maybe with an
>> override version in ports to match our release model. But, base
>> should be able to authenticate certificates out of the box.
>
> I believe there is a group of people working on that issue
> some place, or at least I recall seeing it as an adgenda item.
There was some contention even having the port install somewhere base
SSL libraries could access it. We've made that change, though there
is a non-default port option to turn it off. I too have seen it on
Core's agenda for months, without any outward visible progress.
Best,
Conrad
More information about the svn-src-head
mailing list