[Remops] Oops! Small problem!

Steve Crook steve at mixmin.net
Wed Nov 5 11:21:46 GMT 2014 

On Tue, Nov 04, 2014 at 11:55:42AM -0700, richard at quicksilvermail.net wrote:
> 
> On Tue, 4 Nov 2014 15:36:23 +0000, you wrote:
> >
> > Hi Richard,
> >
> > I think the URLDownloadToFile function uses the same certificate store
> > as Internet Explorer so it might be a case of telling IE to accept
> > certain self-signed certificates.  I found these instructions on how to
> > do that:-
> > http://stackoverflow.com/questions/681695/what-do-i-need-to-do-to-get-inter=
> > net-explorer-8-to-accept-a-self-signed-certific
> >
> > I've tested this from within IE but don't have another URLDownloadToFile
> > binary to test my theory against.  Might be worth a try with your 3.03a
> > binary.
> 
> Hi Steve,
> 
> The instructions you show me describe how to get windows to accept self-
> signed certs on MY computer. You wish this to be applied to all
> mixmaster users? This can likely be done programatically, but I don't
> see how, without an installation program.
> 
> I often miss the point completely :) Am I missing your point?

Hi Richard,

Not sure if you missed my point, or that I didn't make it.  :)

I don't think there is a programmatic solution for telling
URLDownloadToFile to ignore the certificate chain.  Its behaviour is
identical to the IE browser in that it requires a valid certificate
chain, or a conscious decision by the user to create an exception.

For example:
https://www.mixmin.net/echolot/ is not self-signed but will probably
fail because IE doesn't include (by default) a root certificate for
cacert.org.  If a user wants my stats via HTTPS, they'll either need to
create an exception or add the cacert root to their certificate store.

This behaviour is consistent with most applications that use x.509
certificates so I'm inclined to think we shouldn't change it, even if we
could.  Better to let each user make a conscious choice to accept
certificates that don't have verifiable chains.

Steve
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.mixmin.net/pipermail/remops/attachments/20141105/c43c60a0/attachment.sig>

More information about the Remops mailing list