~nhanb/mcross#1: 
mcross does not accept self signed certificates

Gemini is designed to use a TOFU approach to TLS. As such, capsules using a centralized certificate authority should be the exception and not the rule (it isnt against the spec to do so, but it is against the spirit of the spec). As such, mcross should accept self signed certificates and actually use a TOFU security model for how it handles things. At a minimum it shoudl handle the self-signed certs, since it gemini is mostly unusable without doing so.

Status
REPORTED
Submitter
Brian Evans
Assigned to
Submitted
5 months ago
Updated
5 months ago
Labels
No labels applied.

~nhanb 5 months ago

Agreed. Admittedly I went with only accepting CA-certified sites simply because that took the least amount of work to get an MVP going. I'll eventually get around to trust-on-first-use TLS - it's on the feature checklist.

~nhanb 5 months ago

FWIW I turned off cert validation for now. I'll figure out how to do TOFU TLS on python Soon (tm).

Register here or Log in to comment, or comment via email.