* [9fans] ca.pem
@ 2013-12-03 17:44 Jeff Sickel
2013-12-03 18:08 ` David du Colombier
2013-12-03 19:29 ` Skip Tavakkolian
0 siblings, 2 replies; 9+ messages in thread
From: Jeff Sickel @ 2013-12-03 17:44 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
What do people use for /sys/lib/tls/ca.pem?
I noticed that David added it as the default for Go’s
crypt/x509, but do you use a blank, self-signed template,
or an actual trusted CA chain?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9fans] ca.pem
2013-12-03 17:44 [9fans] ca.pem Jeff Sickel
@ 2013-12-03 18:08 ` David du Colombier
2013-12-03 18:15 ` cinap_lenrek
2013-12-03 19:29 ` Skip Tavakkolian
1 sibling, 1 reply; 9+ messages in thread
From: David du Colombier @ 2013-12-03 18:08 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
[-- Attachment #1: Type: text/plain, Size: 223 bytes --]
It is mean to contain the trusted root certification authorities.
Such a file didn't exist previously on Plan 9, since the native X.509
libraries didn't handle certificate chain verification.
--
David du Colombier
[-- Attachment #2: Type: text/html, Size: 282 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9fans] ca.pem
2013-12-03 18:08 ` David du Colombier
@ 2013-12-03 18:15 ` cinap_lenrek
2013-12-03 18:18 ` erik quanstrom
2013-12-03 18:28 ` Jeff Sickel
0 siblings, 2 replies; 9+ messages in thread
From: cinap_lenrek @ 2013-12-03 18:15 UTC (permalink / raw)
To: 9fans
obviously, plan9 has no root.
--
cinap
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9fans] ca.pem
2013-12-03 18:15 ` cinap_lenrek
@ 2013-12-03 18:18 ` erik quanstrom
2013-12-03 18:28 ` Jeff Sickel
1 sibling, 0 replies; 9+ messages in thread
From: erik quanstrom @ 2013-12-03 18:18 UTC (permalink / raw)
To: 9fans
On Tue Dec 3 13:16:42 EST 2013, cinap_lenrek@felloff.net wrote:
> obviously, plan9 has no root.
it fell off.
- erik
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9fans] ca.pem
2013-12-03 18:15 ` cinap_lenrek
2013-12-03 18:18 ` erik quanstrom
@ 2013-12-03 18:28 ` Jeff Sickel
2013-12-03 18:36 ` David du Colombier
1 sibling, 1 reply; 9+ messages in thread
From: Jeff Sickel @ 2013-12-03 18:28 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
Yes, but if you put a synthesized ca.pem file in place, say
from FreeBSD’s /etc/ssl/cert.pem, then the crypto/rsa test
passes. Though maybe having an empty ca.pem will do the
same.
Either way, it’s needed to successfully use go get.
On Dec 3, 2013, at 12:15 PM, cinap_lenrek@felloff.net wrote:
> obviously, plan9 has no root.
>
> --
> cinap
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9fans] ca.pem
2013-12-03 18:28 ` Jeff Sickel
@ 2013-12-03 18:36 ` David du Colombier
2013-12-03 18:43 ` Jeff Sickel
0 siblings, 1 reply; 9+ messages in thread
From: David du Colombier @ 2013-12-03 18:36 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
[-- Attachment #1: Type: text/plain, Size: 128 bytes --]
Yes, but using "go get" on a HTTPS URI will fail if you don't trust its
root certificate authority.
--
David du Colombier
[-- Attachment #2: Type: text/html, Size: 178 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9fans] ca.pem
2013-12-03 18:36 ` David du Colombier
@ 2013-12-03 18:43 ` Jeff Sickel
0 siblings, 0 replies; 9+ messages in thread
From: Jeff Sickel @ 2013-12-03 18:43 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
I was primarily interested in doing:
go get code.google.com/p/goprotobuf/proto
go get code.google.com/p/goprotobuf/protoc-gen-go
Which works w/ a ca.pem using a trusted root CA. I should probably
fix that with the python code as well since hg pull of go ends
up getting new code.google.com fingerprints every few days.
On Dec 3, 2013, at 12:36 PM, David du Colombier <0intro@gmail.com> wrote:
> Yes, but using "go get" on a HTTPS URI will fail if you don't trust its root certificate authority.
>
> --
> David du Colombier
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9fans] ca.pem
2013-12-03 17:44 [9fans] ca.pem Jeff Sickel
2013-12-03 18:08 ` David du Colombier
@ 2013-12-03 19:29 ` Skip Tavakkolian
2013-12-03 20:34 ` Steffen Daode Nurpmeso
1 sibling, 1 reply; 9+ messages in thread
From: Skip Tavakkolian @ 2013-12-03 19:29 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
[-- Attachment #1: Type: text/plain, Size: 447 bytes --]
root CA certificates. David's reply jogged my memory; if i recall, i cat'ed
/etc/ssl/certs/*.pem of the ubuntu box and it was so i could go get.
On Tue, Dec 3, 2013 at 9:44 AM, Jeff Sickel <jas@corpus-callosum.com> wrote:
> What do people use for /sys/lib/tls/ca.pem?
>
> I noticed that David added it as the default for Go’s
> crypt/x509, but do you use a blank, self-signed template,
> or an actual trusted CA chain?
>
>
>
>
[-- Attachment #2: Type: text/html, Size: 784 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9fans] ca.pem
2013-12-03 19:29 ` Skip Tavakkolian
@ 2013-12-03 20:34 ` Steffen Daode Nurpmeso
0 siblings, 0 replies; 9+ messages in thread
From: Steffen Daode Nurpmeso @ 2013-12-03 20:34 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
[-- Attachment #1: Type: text/plain, Size: 629 bytes --]
Skip Tavakkolian <skip.tavakkolian@gmail.com> wrote:
|root CA certificates. David's reply jogged my memory; if i recall, i cat'ed
|/etc/ssl/certs/*.pem of the ubuntu box and it was so i could go get.
I've not really followed it but there was a thread on
OpenSSL-users which mentioned an issue ([1]).
That thread mentioned a go(1) program [2] which was later also
suggested as good by Christian Heimes (in [1]).
[1] <http://article.gmane.org/gmane.comp.encryption.openssl.user/50237>
[2] <https://github.com/agl/extract-nss-root-certs>
I'm using curl-ca-bundle from curl(1), but that's perl(1).
--steffen
[-- Attachment #2: Original message content --]
[-- Type: message/rfc822, Size: 6229 bytes --]
[-- Attachment #2.1.1: Type: text/plain, Size: 447 bytes --]
root CA certificates. David's reply jogged my memory; if i recall, i cat'ed
/etc/ssl/certs/*.pem of the ubuntu box and it was so i could go get.
On Tue, Dec 3, 2013 at 9:44 AM, Jeff Sickel <jas@corpus-callosum.com> wrote:
> What do people use for /sys/lib/tls/ca.pem?
>
> I noticed that David added it as the default for Go’s
> crypt/x509, but do you use a blank, self-signed template,
> or an actual trusted CA chain?
>
>
>
>
[-- Attachment #2.1.2: Type: text/html, Size: 784 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2013-12-03 20:34 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-12-03 17:44 [9fans] ca.pem Jeff Sickel
2013-12-03 18:08 ` David du Colombier
2013-12-03 18:15 ` cinap_lenrek
2013-12-03 18:18 ` erik quanstrom
2013-12-03 18:28 ` Jeff Sickel
2013-12-03 18:36 ` David du Colombier
2013-12-03 18:43 ` Jeff Sickel
2013-12-03 19:29 ` Skip Tavakkolian
2013-12-03 20:34 ` Steffen Daode Nurpmeso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).