On Fri, 18 Jan 2013 20:55:40 +0000 Matthew Seaman <m.sea...@infracaninophile.co.uk> wrote:
> On 18/01/2013 02:57, Michael Gmelin wrote: > > > c. libfetch really needs to get fixed to allow certificate > > verification in its fetchX* and fetchHTTP* functions when using > > HTTPS. fetch(3) is based on it and there is no indication anywhere > > whatsoever that no checks are done at all (none of the libfetch or > > fetch utility man pages mention it). > > This would be useful functionality to add to libfetch. However, > support for DANE (RFC 6698) would be even better, IMHO. > Hi Matthew, I implemented all the bits necessary back in January and discussed the patch with Dag at length. The final result was (well, IMHO) quite satisfactory, but then I got distracted by a couple of very tight deadlines until early March. I mailed the latest version of the patch to Dag, but didn't receive any feedback yet - it's been only a few weeks though. >From my perspective the patch is complete, since all the features I intended to implement have been implemented and tested according to the relevant RFCs. Adding DANE, like you suggested, would be great, but I don't have the time to acquire the expertise required right now. Plus implementing it is not a replacement for supporting a "traditional" SSL CA infrastructure. You can fetch the latest version of the patch at http://blog.grem.de/libfetch_20130307.patch (I didn't bother adding it to kern/175514, since AFAIK patches containing UTF-8 characters are still broken in the PR system). I wrote a tutorial, available at http://goo.gl/tW7P3 [1], on how to actually take advantage of the features provided by the patch in a fully trusted and bidirectionally authenticated pkgng setup, I hope this useful to somebody else. We'll roll out a very similar setup on all of our servers in the near future. I'd like to see the patches to libfetch/fetch make it to base, since I think these features just have to be in there, regardless of what you think of traditional PKI infrastructures. Cheers, Michael [1] http://blog.grem.de/sysadmin/Trusted-Package-Distribution-With-pkgng-2013-03-30.html -- Michael Gmelin _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
