Understood, thank you. By "trusted location," do you mean a server with a certificate that operating systems already trust?
On 4/12/21 10:15 AM, Ryan Culpepper wrote: > Racket does not provide a way to do that. > > You can use `openssl s_client -showcerts -connect host:port < /dev/null` to > get the server's certificate chain in PEM form (with other logs around it). > Of course, an attacker could intercept the connection and send you their CA > certificate instead. It would be safer if example.com published their > certificate in a (standardly) trusted location. > > If you do something like this, consider mitigating the danger by having the > user add the certificate to a separate location managed by your application > rather than the OS trust store. You can extend the > `ssl-default-verify-sources` parameter to point to a file containing > additional root certificates. > > Ryan > > On Mon, Apr 12, 2021 at 3:20 PM Sage Gerard <[email protected]> wrote: > >> When ssl-connect fails due to an untrusted certificate, this error is >> raised: >> >> ssl-connect: connect failed (error:1416F086:SSL >> routines:tls_process_server_certificate:certificate verify failed) >> >> I'd like to give the user a more helpful error, like this: >> >> Could not connect due to an untrusted certificate. In many cases, it is >> not advisable to proceed. However, if you trust the server at >> example.com, add /tmp/example.com.cert to your trusted certificates >> using this guide: <guide link> >> >> How can I get a copy of the offending certificate so that I can do this? >> >> -- >> ~slg >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Racket Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to >> [[email protected]](mailto:racket-users%[email protected]). >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/racket-users/8a55256d-71ed-b47f-5b92-c958438c5659%40sagegerard.com. -- ~slg -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/8edbd1fd-715d-a730-5659-3731518c5fba%40sagegerard.com.
