On 2009-10-08 15:45 PDT, Guenter wrote: > Daniel, > Am 08.10.2009, 22:30 Uhr, schrieb Daniel Veditz <dved...@mozilla.com>: > >> On 10/7/09 4:00 PM, Guenter wrote: >>> Hi, >>> is there any way to overwrite the default behaviour that a remote SSL >>> host is verified against the CA list in the certdb? >> At what level? Assuming you're asking in this newsgroup because you're >> writing code to use NSS directly > exactly. >> (or through PSM) you could look at what PSM does to create "override" >> exceptions and just do that automatically. > I dont use PSM, I need a solution for pure NSS. > And I'm fully aware of any riscs which arise without verifying against a > CA bundle to make sure that the cert's issuer is valid. > So how you deal with self-sgined certificates if you dont want / cant > import the matching CA to the certdb? > Is there really no NSS setting / function which bypasses CA verification > requirement?
Have you read through the documentation on libSSL? http://www.mozilla.org/projects/security/pki/nss/ref/ssl/index.html The determination that a certificate is or is not acceptable is the responsibility of the application that uses libSSL. The application registers a callback function that libSSL calls, when it receives the peer's certificate, to ask "is this certificate acceptable for the peer with whom you're trying to communicate?". This is explained in http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1089578 NSS supplies a function that an application may elect to use for this purpose, rather than writing its own. That function is SSL_AuthCertificate, documented in the libSSL function reference at http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1088888 There is a way to mark any peer certificate as trusted, all by itself, without any regard to who issued it. That is done by importing the certificate into the cert DB and setting the "trusted peer" flag on the certificate. That' probably your simplest bet. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
