chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eberlein, Peter" <>
Subject kCMISSessionAllowUntrustedSSLCertificate
Date Fri, 17 May 2013 12:54:48 GMT
Hi Peter,

I noticed the new session parameter, kCMISSessionAllowUntrustedSSLCertificate, that you introduced.
If set, server certificate validation is skipped so SSL connections to untrusted servers can
be established.

I don't think that we should have such a parameter. The world is already insecure enough without
encouraging people to deactivate essential security settings. If there is a need to accept
untrusted server certificates temporarily, like during development, than this can easily be
done by providing a custom authentication provider. This was already possible before this
change, without extending the standard implementation with insecure code. Or did I miss something?
I would feel a lot better if this whole "feature" was removed again and whoever needs to do
such messy things does them in own code in a custom authentication provider.

Or is it just me who is overly sensitive here? What does everyone else think?


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message