... darkrealms ...

Cooperative anarchy at its finest, still active today. Darkrealms is the Zone 1 Hub.

RBERRYPI

Support for the Raspberry Pi device

21,939 messages

[ << oldest | < older | list | newer > | newest >> ]

Message 20,609 of 21,939

bp@www.zefox.net to Lawrence D'Oliveiro

Re: Chromium and self-signed certificate

01 Sep 24 16:28:43

   REPLYADDR bp@www.zefox.net   
   REPLYTO 3:770/3.0 UUCP   
   MSGID:  efeda6e6   
   REPLY:  1d5d3eb1   
   PID: SoupGate-Win32 v1.05   
   Lawrence D'Oliveiro  wrote:   
   > On Sun, 1 Sep 2024 00:43:57 -0000 (UTC), bp wrote:   
   >   
   >> I thought the host certificate _became_ a CA   
   >> certificate through the self-signing process..... So, I actually need   
   >> _two_ certificates, one for the server and one for the signing   
   >> authority, both created on the sesrver?   
   >   
   > A CA cert needs to be self-signed, since of course there is nobody higher   
   > (within the SSL/TLS protocol, anyway) to vouch for a CA’s authenticity.   
   > The OS (or the browser) typically comes with a set of CA certs that it   
   > trusts, preinstalled. So any cert signed (directly or indirectly) by any   
   > of these CAs becomes trusted as well. And you should be able to add to   
   > these certs, or even remove them.   
   >   
   >> Presumably the client (a Pi5 running RasPiOS) already has created its   
   >> own?   
   >   
   > Its own CA? Hard to think why it would.   
   >   
   Ah, only a host certificate is needed for an anonymous client, like   
   my browser?   
      
   >>> The procedure for being your own CA is a lot simpler in OpenSSL 3. I   
   >>> have some notes here .   
   >>   
   >> Fortunately it seems OpenSSL 3 is installed. I'll try your exercise   
   >> shortly   
   >   
   > I should mention that my example use of TLS/SSL is as a wrapper for an   
   > entirely custom protocol, not related to HTTP/HTTPS. There are certain   
   > requirements for certs used for HTTP/HTTPS, where the “subject” field   
   must   
   > contain the fully-qualified DNS name in the “CN=” part.   
      
   That much I gathered. Still, it looks like there are are three uses for   
   encrypted, authenticated communications between hosts: Mail, web traffic   
   and remote logins. SSL is installed and working for remote logins on all   
   the hosts under my control by default. Can a single ssl/tls configuration   
   support all three services? Am I wrong to think of ssl and tls as one thing?   
      
   Apologies for all the naive questions!   
      
   bob prohaska   
      
   --- SoupGate-Win32 v1.05   
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)   
   SEEN-BY: 88/0 90/1 92/1 105/81 106/201 129/305 153/757 7715 218/700   
   SEEN-BY: 218/840 220/70 221/1 6 360 226/17 30 100 227/114 229/110   
   SEEN-BY: 229/111 114 200 206 300 317 400 426 428 470 550 616 664 700   
   SEEN-BY: 266/512 267/800 282/1038 291/111 292/854 301/1 310/31 320/219   
   SEEN-BY: 322/757 335/364 341/66 342/200 396/45 460/58 633/280 712/848   
   SEEN-BY: 770/1 3 100 330 340 772/210 220 230 880/1 900/100 102 106   
   SEEN-BY: 900/108 902/7 25 26 27 5020/400 5058/104 5075/35   
   PATH: 770/3 1 218/840 221/6 341/66 902/26 90/1 229/426

[ << oldest | < older | list | newer > | newest >> ]