cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] openssl: allow partial trust chains

From: Tim Ruehsen <tim.ruehsen_at_gmx.de>
Date: Mon, 30 Nov 2015 16:34:45 +0100

On Monday 30 November 2015 16:05:01 Daniel Stenberg wrote:
> On Mon, 30 Nov 2015, Tim Ruehsen wrote:
> > But if these are not enabled by default, there is only use to "humans that
> > understand this topic" and explicitly enable it. Am I right that (lib)curl
> > does not enable these by default ?
>
> They are not, and for each and every one of those features we have had this
> discussion of how to deal with them and whether we can enable them by
> default or not. We want to help users do the right thing at once by
> providing the "correct" set of options enabled by default. This is not
> always an easy trade-off of course.
>
> In these mentioned cases the options cannot easily be enabled without (by
> estimation) triggering a fair amount of failures. Failures that users didn't
> get just before an upgrade and would not be that easy to understand or
> learn what to do to get things running again. Ideally we can switch some of
> their default values at some point in time.

Well, you threw the points into the discussion, in my understanding "If we
have these features, why not short-cut the checks of the trust chain".

And all I can do is answering "Yes, if these are enabled, you are right".

This doesn't mean, you have to default all of those immediately.
It means, if the user enabled those as a security measure, let's short-cut the
checks, if he did not don't short-cut.

Once you change the default values, short-cutting becomes (automatically) the
default as well.

Just my thoughts.

Tim

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-11-30