On Sat, 26 Jul 2003, David Woolley wrote:
> > "echo QUIT | openssl s_client -connect whatever.invalid:443 > certfile"
>
> This is only useful if the site is local and connected over a physically
> secure network. Otherwise you need mechanisms, that go beyond simply
> providing a link, to ensure that you are actually getting the certificate
> from the real site, e.g. you might look for a key signature in printed
> literature, or phone them up to verify the key signature.
True, but the same considerations apply to any certificates that you
use. What you need to do depends on how secure you want the connection
to be. Should we put in a warning about getting a cacert bundle from the
modssl distribution? Someone could certainly hack a mirror site and put
in an altered ca-bundle.crt file.
I guess it would be best to leave out information about s_client use,
since if you know how to use it properly, you probably didn't need the
pointer to it here.
Doug
--
Doug Kaufman
Internet: [EMAIL PROTECTED]
; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to [EMAIL PROTECTED]
