Thanks. Gary said: >> Unless somebody objects or has a better idea, I'll implement Richard >> Laager suggestion to disable the NTS-KE server if it can't read the >> certificate and key. > I can't think of any other option. Is there?
Sure. Run without a certificate. That won't get very far if the client insists on a certificate but it might be useful for testing and is easy to implement. [file for key to private key] > I agree it is a very uncommon option. Something to do last, if ever. > Programs like Apache httpd... OK, I just found the callback to get the password. That's sufficiently complicated that I'm not going to think about it now. If somebody thinks it is interesting enough, they should put it on the list. Maybe an issue, but Eric likes to delete those rather then use them for tracking long term issues. Client certificates should go on the same list. I will remove hints of their support if I encounter any. -------- >> The API is that you give it a chain rather than just a simple cert. >> One way to do it. Not the most common. OK to start with, not OK in >> production. Look at the Apache httpd doc to see many other ways to do it >> (with OpenSSL). > A lot of users are simply incapable of making their own cert chain. Fancy > deployments need to many chains to make them practical. You need one chain per cert. I was expecting the chain to replace the cert so the bookkeeping wouldn't be any more complicated. If I get a cert from $BIGCERTCO, what do they give me? Does the cert need intermediate certs or is the cert that certifies my new cert part of the normal root cert collection. If it needs intermediate cert(s), do they give me two files or one? > What is a "chain TLS client"? A typo. The API I'm using is that I give OpenSSL/server one file containing a cert and whatever other certs it needs to get to the root certs that the OpenSSL/client will be using. One file seems simpler for everybody than two. I'm calling that "cert and other certs" a chain. If two files is what people want/use, we can add that. It looks like ugly code, but I think I have found the API. Again, I'm putting it on the back burner. If it's important, somebody should put it on the list. -- These are my opinions. I hate spam. _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
