Trac is being migrated to new services! Issues can be found in our new
YouTrack instance and WIKI pages can be found on our
website.
- Timestamp:
-
Jun 22, 2007, 11:34:48 PM (17 years ago)
- Author:
-
wehlhard
- Comment:
-
yay for writing
Legend:
- Unmodified
- Added
- Removed
- Modified
-
|
v51
|
v52
|
|
| 31 | 31 | 2. If the hostname check fails, ssl_connect will prompt the user with the certificate data and a warning that the hostname check failed. |
| 32 | 32 | 3. If the user accepts the certificate anyways, ssl_connect calls bless_certificate in the tls_peers CertificateVerifier, which adds it to the "tls_peers" pool. The connection initialization is then completed. (The exact action at this step is not really laid in stone, though) |
| | 33 | |
| | 34 | == A better-written example == |
| | 35 | SSL SYSTEM: |
| | 36 | 1. Set up connection with gmail.com. |
| | 37 | 2. Fetch peer certificate chain. |
| | 38 | 3. Pass peer certificate chain to the Verifier, along with a callback that accepts an "approved? yes or no" value. |
| | 39 | |
| | 40 | VERIFIER: |
| | 41 | 4. See if the first cert in the chain is in some .ssh/known_hosts equivalent. If it is, trigger the callback with "approved" |
| | 42 | 5. See if the certificate chain is valid against a known CA. If it is, trigger the callback with "approved" |
| | 43 | 6. Prompt the user with details for approval. If the user approves, trigger the callback with "approved" |
| | 44 | 7. Trigger the callback with "not approved" |
| | 45 | |
| | 46 | SSL SYSTEM (via callback): |
| | 47 | 8. If the certificate chain was approved, finish connection setup. If it wasn't, abort the connection with an informative error message. |
| 33 | 48 | |
| 34 | 49 | == CertificateScheme API == |
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!
