"Mark Pirogovsky"<
[hidden email]> wrote:
> Good morning Everybody.
>
> Does anybody have a SSL root certificates files for VW?
>
> I used to have the file with the bunch of the Root certificates I was
> using for the SsL communications. However as time goes by some of those
> certificates are being replaced by newer ones. as a result one of my
> applications stopped connecting to the HTTPS , because it can not
> validate the Root cert in the chain.
>
> I have an error like:
> ^RootNotTrusted new
> messageText: (#CANotInTrustRegistry << #security >> 'CA Not in
> Trust Registry!');
> parameter: chain last;
> isResumable: true;
> raiseSignal
The parameter above is usually the exact certificate that you need. Just check if it is self-signed and if it is, that's it. The problem is that it arrived to you through a completely insecure channel at that point. So you cannot trust it based on the expectation that it was somehow protected. It wasn't protected at all. And it isn't particularly difficult to spoof. However, if you're OK trusting that copy in your specific circumstances in that specific case (based on hopefully a fairly confident judgment of the circumstances), there's nothing preventing you from adding that copy directly to your trust registry (X509Registry>>addTrusted:) right there, or saving it to a file (Certificate>>writeOn:) so that you can later read it back (Certificate class>>readFrom:).
The right way is to obtain the root certificates "securely" from a "trusted source". We have a few suggestions for "low security" deployments in our SSL chapter in the SecurityGuide, somewhat buried in the section on "Handshake and Certificates".
HTH,
Martin
_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc
Locked
