![]() If you don’t mind getting the collection via a third party, the Curl project provides a regularly-updated conversion in Privacy-Enhanced Mail (PEM) format, which you can use directly: Unfortunately, their certificate collection is in a proprietary format, which is not of much use to others as is. For example, this is what I did for my assessment tool on SSL Labs.īecause it’s open source, Mozilla keeps the trust store in the source code repository: ![]() A better choice-but one that involves more work-is to turn to Mozilla, which is putting a lot of effort into maintaining a robust trust store. This choice is usually fine, but default trust stores may not always be up to date. One possibility is to use the trust store built into your operating system. OpenSSL does not come with any trusted root certificates (also known as a trust store), so if you’re installing from scratch you’ll have to find them somewhere else. I would say Mozilla / curl do the maintaining, and it would mean including the uptodate certdata.txt from Mozilla/curl in your program at the moment you compile it.ĪFAIK the root certificate is more static than nzbget releases.įWIW: Probably redundant in this thread, but I found interesting. As NZBget is open source, anybody can inspect it and compile it themselves. Other programs have their non-OS root certificate too (Firefox, Chrome (AFAIK), and curl), and that is trusted by users. It's indeed all about trust and not trusting. It's suspicious to provide a own root certificate list with your program Such situation is not distinguishable from an attack.īTW I don't know how easy it is to implement fingerprint check, may be that's another challenge on it's own.Īh, sorry, apparently I hadn't fully understood you yet. if for some reason the server legitimately updates the certificate the users have to update fingerprint.more work for users - instead of just activate one option "Validate certificate" they need to enter host fingerprint.no need to deal with certificate stores.self-signed certificates are as good as created by trusted issuers what matters is if the user trusts to the certificate. ![]() it doesn't matter if certificate was issued to other site what matters is if the user trusts to the certificate (solving problem).If authorities create another certificate for the same host that certificate will have a different fingerprint and will be detected No one can pretend to be the news server unless he has the original server certificate. NZBGet will validate fingerprint and report an error and stop connecting if it doesn't match. News servers configuration section in NZBGet will have a new option Fingerprint which must be set by user manually, something like: Which is a certificate fingerprint check. So instead of trying to verify server certificate I could possibly implement a different approach to improve security and prevent MitM attacks. Although wouldn't it be strange (or suspicious) that some program uses a non-system root certificate store? Well, this collection comes from Mozilla and Firefox does this exact thing (uses it's own certificate collection instead of system store). MacOS has it's own certificate store too.Īn alternative could be to ship a certificate collection within NZBGet package. Windows has it's own certificate store which of course isn't in format expected by OpenSSL. A lot of confusion and this is just on Linux. Interesting reading - A note about SSL/TLS trusted certificate stores, and platforms (OpenSSL and GnuTLS). The big question is where to get that collection? To perform validation a collection of trusted root certificates is needed. Certificate validation is a difficult thing for NZBGet.
0 Comments
Leave a Reply. |