[CentOS] https and self signed

Wed Jun 15 14:25:57 UTC 2016
Warren Young <wyml at etr-usa.com>

On Jun 15, 2016, at 7:47 AM, Jerry Geis <geisj at pagestation.com> wrote:
> Yes I can added the --insecure for curl - but - my other app doesn't
> seem to work either - perhaps getting the same return message instead of
> the actual file.

Because of all the security holes people have been finding in TLS, libraries implementing the client side of TLS are getting increasingly intolerant of risky configurations.

It’s too bad, because self-signed certificates are only unusual on the public Internet.  I wish the designers of TLS had included a flag in the cert that let it declare that it was only to be trusted on a private intranet by clients of that same intranet.

For example, instead of declaring that the given server is foo.example.com, it would be nice if you could generate a self-signed cert that declares that it is for, and that any host on should trust it implicitly.

Such a cert could not be used to prove identity, prevent spoofing, or prevent MITM attacks, but it would give a way to set up encryption, which is often all you actually want.  MITM attacks could be largely prevented with certificate pinning.