On 6/7/18 5:34 PM, Bob Friesenhahn wrote:
On Thu, 7 Jun 2018, Warren Young wrote:
Yes, I know that, but it does solve the other likely problem when
using a too-old system with HTTPS, being an inability for the client
and server to agree on a mutually-supported encryption suite. With
all of the security vulnerabilities found in encryption algorithms,
hashing algorithms, and libraries over the past 9 years, there’s a
fair chance Lenny’s OpenSSL won’t be able to talk to the TLS
implementation on sqlite.org even with the CA issue solved.
In this case, we already heard that Lenny’s wget is able to access the
web site if server certificate checks are disabled.
It is much easier to add to the certificates used by the system given
that wget already works.
Bob
Merely my nickle's worth of thoughts here but I think you can go to a
Debian 9 system and tarball the contents of /etc/ssl/certs and then drop
them into any system. There should be a ssl.cnf file kicking around as
well if that helps. Also wget can be given --ca-directory=/etc/ssl/certs
as an option if necessary. Should be if wget is linked with openssl
correctly.
Dennis
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
