<noloa...@gmail.com> wrote: > On Sat, Jul 7, 2012 at 4:02 PM, <pro...@secure-mail.biz> wrote: > > <noloa...@gmail.com> wrote: > >> You pin a certificate by whitelisting expected server certificates > > >> (possibly thumbprints). > > > > [SNIP] > > So my original question was how do I get wget to verify the torproject.org > > > fingerprint [4] without depending on root CA's? The only possible solution > > > I saw was downloading the torproject.org SSL public key, run a local > CA, > > sign the certificate and run wget with the --ca-certificate switch. > That's why > > I posted the question "Sign public key without having CSR or private > key?". > > > > If there are any suggestions for this situation I am all ears. > Come to think of it, you could use OpenSSL's s_client to do the > pinning, and then use wget if everything is OK. Its does set up a > small breeding ground for a TOCTOU > (http://nob.cs.ucdavis.edu/bishop/papers/1996-compsys/racecond.pdf), > but I believe the risk is small.
Since the implementation will be Open Source it were possible for an adversary to take advantage of TOCTOU, i.e. not tamper with s_client traffic but tamper with wget traffic. Cheers, proper ______________________________________________________ powered by Secure-Mail.biz - anonymous and secure e-mail accounts. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
