Avatar for Username

搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

此討論串已被封存。 如果您有需要幫助,請新增一個新問題

How can I provide my own list of CA-certificates for TLS-connections from within a Add-On

  • 1 回覆
  • 1 有這個問題
  • 2 次檢視
  • 最近回覆由 guidow

guidow
guidow
more options

I'm considering writing an Add-On that does a DNSSEC/DANE lookup.

My scenario is that a DNSSEC query for the TLSA (DANE) records of a site return a full Root Certificate for a site. (2,0,0 in DANE jargon.)

I want to create new TLS context with a CA-pool containing just that Certificate, so that when I browse to the site, the TLS-layer verifies the site certificate against the DNSSEC-specified Root CA.

My question: how do I program that in an add on? How can I specify a *certain* CA root certificate before opening the connection.

I'm considering writing an Add-On that does a DNSSEC/DANE lookup. My scenario is that a DNSSEC query for the TLSA (DANE) records of a site return a full Root Certificate for a site. (2,0,0 in DANE jargon.) I want to create new TLS context with a CA-pool containing just that Certificate, so that when I browse to the site, the TLS-layer verifies the site certificate against the DNSSEC-specified Root CA. My question: how do I program that in an add on? How can I specify a *certain* CA root certificate before opening the connection.

所有回覆 (1)

guidow
guidow 提出問題者
more options

Replying to myself to add some more information.

For doing the DNSSEC-DANE lookup, I use a strategy as pioneered by the DNSSEC validation Add On.

My question is how to create a TLS-connection context with a certain Root CA before connection to the site.