| bencoh | Maxdamantus: at this point I'd just trust a wildcard cert in browserd, and have the proxy use it | 01:40 |
|---|---|---|
| bencoh | hmm, not sure browserd would accept it though | 01:41 |
| bencoh | either that, or disable cert verification in the browser, since the proxy is supposed to do that anyway | 01:41 |
| Maxdamantus | Wildcard certs are not valid, otherwise I would use one of them in the proxy. | 01:46 |
| Maxdamantus | at least, wildcard certs for TLDs or above are not valid. | 01:47 |
| Maxdamantus | That is, "CN=*" or "CN=*.com" are not valid (or rather, ignored), but "CN=foo.com" or "CN=*.foo.com" are valid. | 01:48 |
| bencoh | no way to disable validation altogether? | 01:49 |
| Maxdamantus | I doubt it. tbh I wouldn't want to. | 01:50 |
| bencoh | why? the proxy does the job | 01:50 |
| Maxdamantus | Because if the proxy is not used for some reason (configuration reset, or maybe a random non-SSL-intercepting proxy is running), it shouldn't just trust all certs. | 01:56 |
| Maxdamantus | anyway, I suspect even in 2009, browser developers probably wouldn't have wanted to add that capability. | 02:00 |
| Maxdamantus | Heh, looks like that suspicion might have been wrong. Sounds like there used to be a "security.use_mozillapkix_verification" flag until Firefox 33, where they presumably got rid of that option. | 02:07 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!