GnuTLS: load and send X.509 certificate chains#458
Conversation
|
If there are no objections I will mark this as cleared for merge in about 2 days. |
rousskov
left a comment
There was a problem hiding this comment.
The biggest change request I recall is the use of exceptions instead of (currently broken) error codes, but I believe all of the suggested changes can be implemented without serious rewrites.
Were the OpenSSL changes tested?
|
|
||
| #else | ||
| // fail | ||
| out.append("[not implemented]"); |
There was a problem hiding this comment.
Feels strange that we display WARNINGs when something goes wrong while extracting the certificate subject but appear to be happy when we cannot even start extracting. If this code is reached, should not this be an even bigger WARNING (or equivalent)? If this is intentional, we should document the reason behind this surprising difference.
0240e42 to
cf1f20c
Compare
745ecff to
a05329a
Compare
|
It took a few hours to find this pull request and understand that Debian's squid serving CONNECT requests on the |
|
@ilatypov, please note that instead of exposing your basic authentication you can build Squid with OpenSSL OR use stunnel-like wrapper in front of an http_port to encrypt CONNECT on the wire. |
06a7ce0 to
6b949fc
Compare
b9afe56 to
e227da8
Compare
|
Screwed up a rebase for this PR. GIthub automatically closed and will not let me re-open it. So generated a clean replacement as PR #831 |
Feature parity with OpenSSL in terms of loading and validating a chain
of X.509 intermediary certificates from a PEM file during configuration,
and delivery of the resulting chain on TLS ServerHello handshakes.