Hi Michael, On Mon, Feb 22, 2016 at 4:04 PM, Michi <michael.tha...@physik.tu-muenchen.de > wrote:
> Hi Roland, > > >> I don’t agree: if you write a program that shall have certain security >> characteristics, then you must certainly test it under the same constraints >> that you will run it with in production. Otherwise you run something that >> you have not tested. How would you test the failure scenarios where >> precisely these hostname checks fail? This should be handled (and probably >> reported) properly. >> >> Therefore I don’t see the private CA as a workaround, I see it as a >> necessity so that security is practiced by everyone involved. >> >> > I have to admit my knowledge about SSL/TLS is very limited. But if > hostname verification is causing trouble in our production code, I would > not hesitate to switch it off for production code. Our code is used in an > intranet, anyway and I am really not worried about man-in-the-middle > attacks. > In this case the proper solution is to add the certificate of that service to a truststore. Then the truststore can be relatively easily installed on the client machines, i.e. you need to do this once. > > The obvious question is, why use https at all? I wouldn't, but the > software we connect to is https only, so we have to live with it. This > might be an exception and I guess we can get everything working with > hostname verification (or maybe it just works, I did not try it yet). I am > just not eager to spend lots of time to get security right if security is > basically irrelevant, anyway. > This is a very specific use case though. -Endre > Best regards, > Michael > > -- > >>>>>>>>>> Read the docs: http://akka.io/docs/ > >>>>>>>>>> Check the FAQ: > http://doc.akka.io/docs/akka/current/additional/faq.html > >>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user > --- > You received this message because you are subscribed to the Google Groups > "Akka User List" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to akka-user+unsubscr...@googlegroups.com. > To post to this group, send email to akka-user@googlegroups.com. > Visit this group at https://groups.google.com/group/akka-user. > For more options, visit https://groups.google.com/d/optout. > -- Akka Team Typesafe - Reactive apps on the JVM Blog: letitcrash.com Twitter: @akkateam -- >>>>>>>>>> Read the docs: http://akka.io/docs/ >>>>>>>>>> Check the FAQ: >>>>>>>>>> http://doc.akka.io/docs/akka/current/additional/faq.html >>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user --- You received this message because you are subscribed to the Google Groups "Akka User List" group. To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+unsubscr...@googlegroups.com. To post to this group, send email to akka-user@googlegroups.com. Visit this group at https://groups.google.com/group/akka-user. For more options, visit https://groups.google.com/d/optout.