You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
During the discussion for SSL in 2014, this (the command-line option) was requested as an option. While the other options have been implemented, I would like to request the additional command-line option "--sslca=".
I tried the option in version 0.4.1 but it was not implemented; unless I am missing something.
Use case:
A public webserver, with a signed certificate from an an approved CA, limits websocket access to known, self-signed, client certificates. Developers create their own key-pairs and supply the public certificate to IT for websocket access.
Problem:
Currently, the software requires client certificates signed by an approved certificate authority since the CA list used is system wide. Therefore the websocket server refuses connections from self-signed certificates. with the following error: TLS handshake error from ********:****: remote error: tls: unknown certificate authority
To gain the function, modification of the system-wide certificate store to add the clients' certificate is required. The system-wide certificate store is automatically updated regularly (e.g. by Lets Encrypt or IT), overwriting the changes, and modification of the vanilla CA file is inherently a security risk, changing it's verifiable hash.
Resolution:
Use a specific CA file only listing allowed clients' public certificates, obviating the need to modify system-wide CA files.
This would allow the clients to verify the public server against the sites public certificate (by an approved CA) while accepting known clients identified by their self-signed certificate. I believe this would require a command-line or file configuration setting to define the certificate store to use. (e.g. --sslca=).
Nice-to-haves:
The ability to define a directory of certificates rather than a single file for --sslca=.
The text was updated successfully, but these errors were encountered:
During the discussion for SSL in 2014, this (the command-line option) was requested as an option. While the other options have been implemented, I would like to request the additional command-line option "--sslca=".
I tried the option in version 0.4.1 but it was not implemented; unless I am missing something.
Use case:
A public webserver, with a signed certificate from an an approved CA, limits websocket access to known, self-signed, client certificates. Developers create their own key-pairs and supply the public certificate to IT for websocket access.
Problem:
Currently, the software requires client certificates signed by an approved certificate authority since the CA list used is system wide. Therefore the websocket server refuses connections from self-signed certificates. with the following error:
TLS handshake error from ********:****: remote error: tls: unknown certificate authority
To gain the function, modification of the system-wide certificate store to add the clients' certificate is required. The system-wide certificate store is automatically updated regularly (e.g. by Lets Encrypt or IT), overwriting the changes, and modification of the vanilla CA file is inherently a security risk, changing it's verifiable hash.
Resolution:
Use a specific CA file only listing allowed clients' public certificates, obviating the need to modify system-wide CA files.
This would allow the clients to verify the public server against the sites public certificate (by an approved CA) while accepting known clients identified by their self-signed certificate. I believe this would require a command-line or file configuration setting to define the certificate store to use. (e.g. --sslca=).
Nice-to-haves:
The ability to define a directory of certificates rather than a single file for --sslca=.
The text was updated successfully, but these errors were encountered: