Cuberite ForumCuberiteDevelopment
Yggdrasil Auth

Threaded Mode
Yggdrasil Auth
xoft Offline
Cuberite Developer
******
Posts: 6,486
Threads: 176
Joined: Jan 2012
Thanks: 40
Given 157 thank(s) in 838 post(s)
#11
04-14-2014, 10:00 PM
Saving the root CA is a nice idea, and it should work, until either the root CA and or any of the intermediate CAs go out of validity, which is in 2030+. Elegant solution.
I don't think the server has more certificates, because each cert is paid and why get more if you can reuse the same cert as long as the domain name matches?
Find
Reply
Thanks given by:
bearbin Offline
Cuberite Developer
******
Posts: 1,468
Threads: 57
Joined: Jul 2012
Thanks: 12
Given 17 thank(s) in 106 post(s)
#12
04-14-2014, 10:16 PM
Also, what if they change CA?
Find
Reply
Thanks given by:
worktycho Offline
Cuberite Developer
******
Posts: 783
Threads: 12
Joined: Jan 2014
Thanks: 0
Given 4 thank(s) in 61 post(s)
#13
04-14-2014, 10:20 PM
Stick another root cert in. Servers can't have multiple certs but in this situation we're the client so we can have as many certs as we can fit on the drive.

@xoft Saving the root CA is elegant, that's why everyone does that.
Find
Reply
Thanks given by:
xoft Offline
Cuberite Developer
******
Posts: 6,486
Threads: 176
Joined: Jan 2012
Thanks: 40
Given 157 thank(s) in 838 post(s)
#14
04-14-2014, 11:27 PM
Yeah, everyone does that and look where it got them - now they can't easily revoke certs after heartbleedTongue
I don't like the idea of keeping multiple CA certs and having to take care of them. I'm willing to do this if the cert doesn't change; the first time it changes, the code goes out and we use fingerprints.
Find
Reply
Thanks given by:




Users browsing this thread: 1 Guest(s)