Opened 6 years ago

Closed 4 years ago

#1294 closed task (fixed)

Review/Improve certificate handling

Reported by: killyourtv Owned by:
Priority: minor Milestone: 0.9.20
Component: api/utils Version: 0.9.13
Keywords: Cc:
Parent Tickets: Sensitive: no


zzz wrote at http://zzz.i2p/posts/8039:

The SSLEepGet cert handling is rather crude. It took me months to get it working and then I never looked at it again. The trusted certs from the certificates dir are essentially added as root CA certs. I think that means they are trusted for anything? While we trust our reseed hosts to not be malicious, what about cacert?

While we don't normally use SSLEepGet for anything else, if it's used on the command line, the certs will still get pulled in and trusted, so one of the cert owners could maliciously MiTM you for something else, perhaps?

Probably worth a ticket to review/improve things.


Change History (2)

comment:1 Changed 5 years ago by str4d

Status: newopen

comment:2 Changed 4 years ago by zzz

Component: router/generalapi/utils
Milestone: 0.9.20
Resolution: fixed
Status: openclosed

Hostname verification was added in 0.9.20

Note: See TracTickets for help on using tickets.