> On Fri, Jan 06, 2017 at 10:48:37AM -0500, RD Thrush wrote: > > On 01/06/17 06:28, Stuart Henderson wrote: > > > Related to this (and particularly thinking about autoinstalls), > > > would it make sense to allow explicit protocols in the hostname? > > > > > > some.host -> https with http fallback > > > http://some.host/ -> http only > > > https://some.host/ -> https only, no fallback > > > > That would totally work for my install problem. > > > > FWIW, instead of running a patched install.sub, "rm /etc/ssl/cert.pem" > > makes the install bypass the https attempt. > > > > Note, if you're upgrading or otherwise have a way to et a cert.pem bundle > onto there to *replace* > the default, you could always drop the signer for your private self-signed > server into the cert.pem > bundle, at which point it would be accepted as trusted. > > of course if you're just installing you have an interesting chicken and egg > problem, unless > you put it somewhere on an https site that does have a real certificate, drop > out of the > installer and do > > ftp -o /tmp/mysigner.pem https://my.secure.site/mysigner.pem > cat /tmp/mysigner.pem >> /etc/ssl/cert.pem > > then continue the install, and you're good. > > Almost wonder if it's worth an extra question in the installer to ask > for an https address to retrieve a certficiate bundle to be appended to > cert.pem > for the install...
And we should also ask a firmware question? Nope. I don't think we should bend over backwards for people doing strange things. They are on their own.
