Ok, much appreciated. For those reading, I'm pivoting to this phrasing. --
Could not connect to example.com due to an unverified certificate. You can address this by downloading the certificate from a source your operating system trusts (to mitigate man-in-the-middle attacks), then adding the certificate to XIDEN_TRUST_CERTIFICATES. Original exception follows: ... On 4/12/21 10:43 AM, Ryan Culpepper wrote: > Yes, that's right. > > Ryan > > On Mon, Apr 12, 2021 at 4:23 PM Sage Gerard <[email protected]> wrote: > >> Understood, thank you. By "trusted location," do you mean a server with a >> certificate that operating systems already trust? >> >> On 4/12/21 10:15 AM, Ryan Culpepper wrote: >> >>> Racket does not provide a way to do that. >>> >>> You can use `openssl s_client -showcerts -connect host:port < /dev/null` to >>> get the server's certificate chain in PEM form (with other logs around it). >>> Of course, an attacker could intercept the connection and send you their CA >>> certificate instead. It would be safer if example.com published their >>> certificate in a (standardly) trusted location. >>> >>> If you do something like this, consider mitigating the danger by having the >>> user add the certificate to a separate location managed by your application >>> rather than the OS trust store. You can extend the >>> `ssl-default-verify-sources` parameter to point to a file containing >>> additional root certificates. >>> >>> Ryan >>> >>> On Mon, Apr 12, 2021 at 3:20 PM Sage Gerard <[email protected]> wrote: >>> >>>> When ssl-connect fails due to an untrusted certificate, this error is >>>> raised: >>>> >>>> ssl-connect: connect failed (error:1416F086:SSL >>>> routines:tls_process_server_certificate:certificate verify failed) >>>> >>>> I'd like to give the user a more helpful error, like this: >>>> >>>> Could not connect due to an untrusted certificate. In many cases, it is >>>> not advisable to proceed. However, if you trust the server at >>>> example.com, add /tmp/example.com.cert to your trusted certificates >>>> using this guide: <guide link> >>>> >>>> How can I get a copy of the offending certificate so that I can do this? >>>> >>>> -- >>>> ~slg >>>> >>>> -- >>>> You received this message because you are subscribed to the Google Groups >>>> "Racket Users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to >>>> [[email protected]](mailto:racket-users%[email protected]). >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/racket-users/8a55256d-71ed-b47f-5b92-c958438c5659%40sagegerard.com. >> >> -- >> ~slg >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Racket Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> [https://groups.google.com/d/msgid/racket-users/8edbd1fd-715d-a730-5659-3731518c5fba%40sagegerard.com](https://groups.google.com/d/msgid/racket-users/8edbd1fd-715d-a730-5659-3731518c5fba%40sagegerard.com?utm_medium=email&utm_source=footer). -- ~slg -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/b2afc3a5-876e-61d8-a475-f078306dfccd%40sagegerard.com.
