![]() which then internally get converted to a list of SSL error codes that are then checked inside the sslError function. clientCertificateRelaxations which could then contain a comma-separated list of keywords such as AllowExpired, AllowSelfSigned. In general I would propose to add an option called e.g. I think configuring this as "ignored SSL errors" reads weird as for once this exposes an implementation detail (that these are SSL errors that are actively ignored) that a server admin should not have to worry about.Otherwise folks will not be able to read the ini anymore (plus we are dependent on the actual values in Qt's enum) Instead we should assign names to these cases and write those in the ini file. We should not use numbers to represent different options.For the actual implementation I have 2 comments though: From a first glance it almost seems as if you can connect with basically any certificate, which would bring up the question of why one should bother with a cert in the first place □ I guess it would also be worth it to re-check whether we need that many exceptions. Ouch these are a lot of ignored SSL errors. How to make the server to verify a client certificate and to block the access to my server? Those certificates from my plumble clients are in. I also added my CA in ca-certificates and made "sudo dpkg-reconfigure ca-certificates".I added the -wipessl option when restarting murmur hoping that those autogenerated/self-signed certificates would not be accepted anymore.If I clear the trust database from a plumble client, certificate for murmur (the one made by me) is readed and can be trusted. The key is at sslKey, also in pem format. My certificate for the server is added in murmur.ini (sslCert), in pem format, and contains all the chain to the Root CA.My android/desktop clients can enter into the server with the autogenerated certificates (those made by mumble/plumble clients), with certificates signed by my own CA and with self-signed certificates.I made my own CA and I made a server certificate signed by this CA.Those certificates must be signed by the same CA as the murmur certificate. I want to make authentication based only on clients certificates.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |