On Tue, Mar 27, 2018 at 8:41 AM, Rodney W. Grimes <free...@pdx.rh.cn85.dnsmgr.net> wrote: > Without the private part of the TLS they can not alter that data, > correct?
Correct — a property typically referred to as "integrity." (Well, obviously they can truncate streams with RST, but that isn't very subtle to any client.) > I know there are TLS intercepts, but they require you to get the > client to accept an alternate cert to proxy the connection. Yep. Without a CA trust database, clients cannot distinguish valid certifications from invalid ones. >> P.S., we should probably ship a CA database in base. Maybe with an >> override version in ports to match our release model. But, base >> should be able to authenticate certificates out of the box. > > I believe there is a group of people working on that issue > some place, or at least I recall seeing it as an adgenda item. There was some contention even having the port install somewhere base SSL libraries could access it. We've made that change, though there is a non-default port option to turn it off. I too have seen it on Core's agenda for months, without any outward visible progress. Best, Conrad _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
