You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Despite Let's Encrypt's awesomeness, there are still plenty legacy systems around in various intranets that use self-signed certificates.
When one faces a server with self-signed (or expired, or otherwise botched) certificate, and wants to interact with httpie with it, options are:
--verify yes (default) that provides strong trust guarantee, but usability is lost completely in this particular case;
--verify no restores usability at cost of trust, which is lost completely.
Middle-ground is TOFU a.k.a. SSH-style certificate verification. OpenSSH client does this. GnuTLS client can do this if --tofu option was specified. Whole thing boils down to:
On first use, prompt user to manually verify key fingerprint, and stash away a copy;
On subsequent use, verify server public key against fingerprint learned on first use.
Having --verify tofu as a third option would really nice. Or, without requiring stdio/terminal interaction, one way to implement this would be to print key fingerprint as a part of CERTIFICATE_VERIFY_FAILED error, and verify server's key against fingerprint if one was specified, something like this:
$ http https://old.crusty.server.com/foo
http: error: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) while doing GET request to URL: https://old.crusty.server.com/foo
http: info: add "--verify CvuIbn2kasZx0NS6A+Pdzfw1nQ40qtUc6eZXyIH92nM=" to trust this certificate
$ http --verify CvuIbn2kasZx0NS6A+Pdzfw1nQ40qtUc6eZXyIH92nM= https://old.crusty.server.com/foo
HTTP/1.1 200 OK
...
The text was updated successfully, but these errors were encountered:
Despite Let's Encrypt's awesomeness, there are still plenty legacy systems around in various intranets that use self-signed certificates.
When one faces a server with self-signed (or expired, or otherwise botched) certificate, and wants to interact with httpie with it, options are:
--verify yes
(default) that provides strong trust guarantee, but usability is lost completely in this particular case;--verify no
restores usability at cost of trust, which is lost completely.Middle-ground is TOFU a.k.a. SSH-style certificate verification. OpenSSH client does this. GnuTLS client can do this if
--tofu
option was specified. Whole thing boils down to:Having
--verify tofu
as a third option would really nice. Or, without requiring stdio/terminal interaction, one way to implement this would be to print key fingerprint as a part of CERTIFICATE_VERIFY_FAILED error, and verify server's key against fingerprint if one was specified, something like this:The text was updated successfully, but these errors were encountered: