Hi Philipp, On Thu, Nov 15, 2018 at 7:21 AM Philipp Kern <pk...@debian.org> wrote: [...] > Why do we need to build out this insecure option more rather than the > target having supported SSL certificates (now that Let's Encrypt and > friends exist)? [...]
Point taken, however this seems orthogonal to the current problem, which is the 'allow_unauthenticated_ssl=true' option it not used even if the user requests it, in the particular case of HTTP-HTTPS redirect. That is a problem. Of course, not using of valid/supported SSL certificates _may_ be _another_ problem, i.e., a security concern, but it's arguably not so in some scenarios, e.g., restricted-access and test/debug environments. In this case, the latter problem may be _acceptable), but the former problem prevents it from even being _usable_ regardless of the user's choice/decision. So, I can certainly appreciate the point you brought up about it, but I believe this is more of fixing a corner/particular case bug that is not yet covered for a functionality that is already in place. > [...] I will note that it's also possible to copy additional > root certificates into the initrd pre-install. (At least it used to work > before HTTPS was generally available.) It looks like this requires rebuilding the initrd, which is some extra work (and unfortunately it does not allow using the already distributed/official files out there), and someone can also decide to do that for the case without HTTP->HTTPS redirect, so not really particular to this problem/bug report itself, if I understand it correctly. Hope this helps! Best regards, -- Mauricio Faria de Oliveira
