intermediates reviews and mentions
-
Improving the quality of publicly trusted intermediate CA certificates
As part of this effort, Mozilla requires disclosure of all intermediate CA certificates in the WebPKI. They bundle that list in Firefox, so that even if a server is misconfigured and sends the wrong certificate chain (but a valid leaf certificate), they can successfully establish a TLS connection. It's pretty cool, and less confusing than the caching approach of other browsers, which leads to non-deterministic behavior.
Using the list they publish [1] I built a Go package that provides the same feature, as both a x509.CertPool or a tls.VerifyConnection callback, to allow clients to connect to misconfigured servers: https://pkg.go.dev/filippo.io/intermediates
The pool is regenerated [2] by a GitHub Action [3] every night, and embedded into the package so it requires no network connection. If tests fail on the new pool, it doesn't get committed. It's actually kinda interesting watching the intermediates come and go [4], and it's very satisfying to have a self-maintaining package.
[1] https://ccadb-public.secure.force.com/mozilla/MozillaInterme...
[2] https://github.com/FiloSottile/intermediates/blob/7dfa9179/g...
[3] https://github.com/FiloSottile/intermediates/blob/7dfa91796/...
[4] https://github.com/FiloSottile/intermediates/commits/main
Stats
FiloSottile/intermediates is an open source project licensed under BSD 3-clause "New" or "Revised" License which is an OSI approved license.
The primary programming language of intermediates is Go.
Sponsored