[9fans] ca.pem

[9fans] ca.pem

[Jeff Sickel]

What do people use for /sys/lib/tls/ca.pem?

I noticed that David added it as the default for Go’s
crypt/x509, but do you use a blank, self-signed template,
or an actual trusted CA chain?

Re: [9fans] ca.pem

[David du Colombier]

[-- Attachment #1: Type: text/plain, Size: 223 bytes --]

It is mean to contain the trusted root certification authorities.

Such a file didn't exist previously on Plan 9, since the native X.509
libraries didn't handle certificate chain verification.

--
David du Colombier

[-- Attachment #2: Type: text/html, Size: 282 bytes --]

Re: [9fans] ca.pem

[cinap_lenrek]

obviously, plan9 has no root.

--
cinap

Re: [9fans] ca.pem

[erik quanstrom]

On Tue Dec  3 13:16:42 EST 2013, cinap_lenrek@felloff.net wrote:
> obviously, plan9 has no root.

it fell off.

- erik

Re: [9fans] ca.pem

[Jeff Sickel]

Yes, but if you put a synthesized ca.pem file in place, say
from FreeBSD’s /etc/ssl/cert.pem, then the crypto/rsa test
passes.  Though maybe having an empty ca.pem will do the
same.

Either way, it’s needed to successfully use go get.


On Dec 3, 2013, at 12:15 PM, cinap_lenrek@felloff.net wrote:

> obviously, plan9 has no root.
> 
> --
> cinap
> 

Re: [9fans] ca.pem

[David du Colombier]

[-- Attachment #1: Type: text/plain, Size: 128 bytes --]

Yes, but using "go get" on a HTTPS URI will fail if you don't trust its
root certificate authority.

--
David du Colombier

[-- Attachment #2: Type: text/html, Size: 178 bytes --]

Re: [9fans] ca.pem

[Jeff Sickel]

I was primarily interested in doing:

	go get code.google.com/p/goprotobuf/proto
	go get code.google.com/p/goprotobuf/protoc-gen-go

Which works w/ a ca.pem using a trusted root CA.  I should probably
fix that with the python code as well since hg pull of go ends
up getting new code.google.com fingerprints every few days.

On Dec 3, 2013, at 12:36 PM, David du Colombier <0intro@gmail.com> wrote:

> Yes, but using "go get" on a HTTPS URI will fail if you don't trust its root certificate authority.
> 
> -- 
> David du Colombier
> 

Re: [9fans] ca.pem

[Skip Tavakkolian]

[-- Attachment #1: Type: text/plain, Size: 447 bytes --]

root CA certificates. David's reply jogged my memory; if i recall, i cat'ed
/etc/ssl/certs/*.pem of the ubuntu box and it was so i could go get.



On Tue, Dec 3, 2013 at 9:44 AM, Jeff Sickel <jas@corpus-callosum.com> wrote:

> What do people use for /sys/lib/tls/ca.pem?
>
> I noticed that David added it as the default for Go’s
> crypt/x509, but do you use a blank, self-signed template,
> or an actual trusted CA chain?
>
>
>
>

[-- Attachment #2: Type: text/html, Size: 784 bytes --]

Re: [9fans] ca.pem

[Steffen Daode Nurpmeso]

[-- Attachment #1: Type: text/plain, Size: 629 bytes --]

Skip Tavakkolian <skip.tavakkolian@gmail.com> wrote:
 |root CA certificates. David's reply jogged my memory; if i recall, i cat'ed
 |/etc/ssl/certs/*.pem of the ubuntu box and it was so i could go get.

I've not really followed it but there was a thread on
OpenSSL-users which mentioned an issue ([1]).
That thread mentioned a go(1) program [2] which was later also
suggested as good by Christian Heimes (in [1]).

  [1] <http://article.gmane.org/gmane.comp.encryption.openssl.user/50237>
  [2] <https://github.com/agl/extract-nss-root-certs>

I'm using curl-ca-bundle from curl(1), but that's perl(1).

--steffen

[-- Attachment #2: Original message content --]
[-- Type: message/rfc822, Size: 6229 bytes --]

[-- Attachment #2.1.1: Type: text/plain, Size: 447 bytes --]

root CA certificates. David's reply jogged my memory; if i recall, i cat'ed
/etc/ssl/certs/*.pem of the ubuntu box and it was so i could go get.



On Tue, Dec 3, 2013 at 9:44 AM, Jeff Sickel <jas@corpus-callosum.com> wrote:

> What do people use for /sys/lib/tls/ca.pem?
>
> I noticed that David added it as the default for Go’s
> crypt/x509, but do you use a blank, self-signed template,
> or an actual trusted CA chain?
>
>
>
>

[-- Attachment #2.1.2: Type: text/html, Size: 784 bytes --]