cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] openssl: allow partial trust chains

From: Tim Ruehsen <tim.ruehsen_at_gmx.de>
Date: Mon, 30 Nov 2015 09:25:43 +0100

On Monday 30 November 2015 08:15:55 Daniel Stenberg wrote:
> On Thu, 26 Nov 2015, Tim Ruehsen wrote:
> > I just don't like this behavior being the default. I have nothing against
> > some kind of configuration / option.
>
> But this gives a user greater flexibility to more fine-grained trust.

Adding/removing CA stores (directories and/or single files) via command line
(and/or config file and/or aliases) gives you lot's more flexibility. Wget has
subsets of these capabilities since years.

> What sort of problem do you see with this?

I already gave a scenario where the requested change is dangerous. If you
think it is not appropriate, please give some arguments.

> We don't normally fear adding options in libcurl, but this is a very
> specialized option that very few users would know how to handle.

??? IMO, Reiner and Petr know what they want - and they seems to be the only
ones who needs this feature so far. Why do you think they can't handle a CLI
option ?

> Also, based on what's said it might also tweak behavior other TLS backends
> already do on their own, not to mention that other backends may not be that
> easy to alter this behavior for.

Just because other people dig a security hole, you don't have to follow them.

But anyways, there are pros and cons whatever you decide. You can read and
understand the arguments and have to decide. I accept your decision - I am not
a security evangelist. Just wanted mention my concerns.

Tim

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-11-30