zinonet / naclports

Automatically exported from code.google.com/p/naclports
0 stars 0 forks source link

Add certificates so that curl can use https in the devenv #189

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
The devenv currently does not support curl using https.
This should just be a matter of adding appropriate root certs.
How to select them might require some care.

Original issue reported on code.google.com by bradnelson@google.com on 25 Jan 2015 at 8:22

GoogleCodeExporter commented 9 years ago
I've been adding https to some of the NaCl documentation pages recently. Have I 
been confusing users because of this? (even if https is the Right Thing™).

Original comment by j...@chromium.org on 25 Jan 2015 at 4:42

GoogleCodeExporter commented 9 years ago
It is generally the right thing.
I just wanted to actually talk thru a good place to get certs with the security 
team before I assume I know what I'm doing with it.
There are 2 other options actually:
- pass an option to curl that turns of certificate check. So man in the middle 
is still possible, but at least its encrypted.
- we also have the geturl utility which uses urlloader. This works in the 
pnacl/web version, but has a bunch of limitations in terms of options, it does, 
however support https.

Original comment by bradnelson@google.com on 25 Jan 2015 at 7:05

GoogleCodeExporter commented 9 years ago
Sam and I discussed this previously when we were going to need certs for git in 
CDE. IIRC, he talked to agl@ who suggested using the mozilla root certs 
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/inc
luded/ and extracting them using this go tool 
https://github.com/agl/extract-nss-root-certs

Original comment by binji@chromium.org on 25 Jan 2015 at 7:10

GoogleCodeExporter commented 9 years ago
What ben said.

Original comment by sbc@chromium.org on 26 Jan 2015 at 6:46

GoogleCodeExporter commented 9 years ago
So I agree that's a valid way to get the certs.
Someone, I've forgotten who, suggested chatting with the security team to see 
if:
A. This is "ok"
B. Ask if there's any way to share chrome's certs (probably not).

Original comment by bradnelson@google.com on 26 Jan 2015 at 7:34

GoogleCodeExporter commented 9 years ago
We did have a chat with the security people.  IIRC they said this was probably 
be best/only option right now.  Perhaps some time in the distant future there 
may be some way to share/use chrome database but it didn't sound likely any 
time soon.

We should at least do this in a way that all naclports that link against 
openssl can include the database relatively simply.

Original comment by sbc@google.com on 26 Jan 2015 at 8:03

GoogleCodeExporter commented 9 years ago
Cool, sounds good.

Original comment by bradnelson@google.com on 26 Jan 2015 at 8:35