💾 Archived View for rawtext.club › ~sloum › geminilist › 002225.gmi captured on 2020-11-07 at 02:45:51. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2020-09-24)
-=-=-=-=-=-=-
Alex Schroeder alex at gnu.org
Fri Jul 17 10:09:35 BST 2020
- - - - - - - - - - - - - - - - - - -
Luke Emmet writes:
I'm getting "failed to connect to the server: hostname does not
verify: x509: certificate is valid for celulinde, not
caranatar.xyz"
On Fri, 2020-07-17 at 04:20 -0400, Caranatar wrote:
Ah crap apparently none of the clients I was using to test were
actually
verifying the certificate, and I forgot to change the CN when I
copy/pasted my cert generation command from my laptop. It should be
working now...
What do other people think about this? My personal impression was thatin a trust on first use (TOFU) world, the common name (CN) of acertificate could be anything. It could be "Alex Schroeder", forexample. Or it could be "alexschroeder.ch". Even if it was served asthe certificate for another domain, like transjovian.org. After all,the question is only whether you "trust on first use".
My impression is that a client that tries to verify that CN and domainmatch is doing it wrong. What do you think? Sadly, my SSL know-how isweak, so any pointers to how things ought to work in a TOFU world areappreciated.
CheersAlex