Hi Roland, > I don’t agree: if you write a program that shall have certain security > characteristics, then you must certainly test it under the same constraints > that you will run it with in production. Otherwise you run something that > you have not tested. How would you test the failure scenarios where > precisely these hostname checks fail? This should be handled (and probably > reported) properly. > > Therefore I don’t see the private CA as a workaround, I see it as a > necessity so that security is practiced by everyone involved. > > I have to admit my knowledge about SSL/TLS is very limited. But if hostname verification is causing trouble in our production code, I would not hesitate to switch it off for production code. Our code is used in an intranet, anyway and I am really not worried about man-in-the-middle attacks.
The obvious question is, why use https at all? I wouldn't, but the software we connect to is https only, so we have to live with it. This might be an exception and I guess we can get everything working with hostname verification (or maybe it just works, I did not try it yet). I am just not eager to spend lots of time to get security right if security is basically irrelevant, anyway. Best regards, Michael -- >>>>>>>>>> Read the docs: http://akka.io/docs/ >>>>>>>>>> Check the FAQ: >>>>>>>>>> http://doc.akka.io/docs/akka/current/additional/faq.html >>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user --- You received this message because you are subscribed to the Google Groups "Akka User List" group. To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+unsubscr...@googlegroups.com. To post to this group, send email to akka-user@googlegroups.com. Visit this group at https://groups.google.com/group/akka-user. For more options, visit https://groups.google.com/d/optout.