James wrote:
Every certificate that doesn't have something at the root of its chain, as it should. I'm on osx and there is no /etc/ssl/certs, so I had no roots until I started loading them.
Where does OSX keep them? I'd looked on the web a bit in the past in case there was any simple consensus out there on the matter of where to check, but didn't find anything. I'll see where curl checks. Whatever they do is probably a good idea.
Firefox keeps them in a database called cert8.db in <user>/Library/Application Support/Firefox/Profiles/*/ Safari keeps them in /System/Library/Keychains/SystemCACertificates.keychain Neither of these formats is legible to OpenSSL. These comments are about Firefox 32.0.3, and OSX 10.6.8 which is now obsolete. Later versions may do things differently. On 10/26/14, eocene <eocene at gmx.com> wrote:
James wrote:
Every certificate that doesn't have something at the root of its chain, as it should. I'm on osx and there is no /etc/ssl/certs, so I had no roots until I started loading them.
Where does OSX keep them?
I'd looked on the web a bit in the past in case there was any simple consensus out there on the matter of where to check, but didn't find anything.
I'll see where curl checks. Whatever they do is probably a good idea.
_______________________________________________ Dillo-dev mailing list Dillo-dev at dillo.org http://lists.dillo.org/cgi-bin/mailman/listinfo/dillo-dev
I put up a new version that checks various locations for certificates and permits a location to be specified during configuration. It may not make any difference for osx, but maybe it will help the BSDs. http://www.dillo.org/test/ssl_in_browser.diff
I had planned to wait until after 3.1 to integrate the ssl-in-browser code, but since 1) dillo hasn't been moving toward release lately and 2) Johannes tells me that the patch has been working well for him, I now plan to put it into dillo when I get a chance in coming days. Having it in dillo means that dillo can be a better internet citizen (http_max_conns, http_persistent_conns), there is certificate hostname checking borrowed from wget, server name indication (fewer certificate warnings), we can remember for the session that the user accepted the use of a questionable certificate instead of continuing to give warnings, we can check non-root-url certificates without endless warning popups...
I wrote:
I had planned to wait until after 3.1 to integrate the ssl-in-browser code, but since 1) dillo hasn't been moving toward release lately and 2) Johannes tells me that the patch has been working well for him, I now plan to put it into dillo when I get a chance in coming days.
Having it in dillo means that dillo can be a better internet citizen (http_max_conns, http_persistent_conns), there is certificate hostname checking borrowed from wget, server name indication (fewer certificate warnings), we can remember for the session that the user accepted the use of a questionable certificate instead of continuing to give warnings, we can check non-root-url certificates without endless warning popups...
(Also the Tor + dpi issue that Johannes mentioned last year) Committed. I'm looking forward to seeing how it works for you...
participants (2)
-
eocene@gmx.com -
james.from.wellington@gmail.com