diff options
| author | Peter Hofmann <scm@uninformativ.de> | 2015-01-05 20:05:35 +0100 |
|---|---|---|
| committer | Peter Hofmann <scm@uninformativ.de> | 2015-01-05 20:31:10 +0100 |
| commit | 99e3756464d92b496cd5e118da46c560bf213c15 (patch) | |
| tree | 5924a8945e7fc16f09b6daa717c66fcd918fad11 /README | |
| parent | 60f2fc63302340ea2be9c07098d4f5191fbc032a (diff) | |
| download | lariza-99e3756464d92b496cd5e118da46c560bf213c15.tar.gz | |
Implement a simple certificate trust store
The WebKit1 version of lariza simply ignored certificate errors. I could
have turned off validation in WebKit2 as well, but I wanted to try to do
it right. :-)
Closes #12.
Diffstat (limited to 'README')
| -rw-r--r-- | README | 34 |
1 files changed, 34 insertions, 0 deletions
@@ -16,6 +16,7 @@ Features: - Keyword based searching: Opening "wi foo" will search wikipedia - Global content zoom - Cooperative instances using FIFOs + - Certificate trust store - Support for Flash and Java - Bundled web extensions: - Adblock @@ -127,6 +128,9 @@ Main windows Mod1 + 3 Repeat the last search (backward). + Mod1 + c + Reload trusted certificates. + Escape Stop loading. @@ -160,6 +164,9 @@ Main windows Mod1 + k Reset the content of the location bar to "/". + Mod1 + c + Reload trusted certificates. + Escape Reset the content of the location bar to the current URI. @@ -317,6 +324,33 @@ mentioned above. ==================== +Trusted certificates +==================== + +By default, lariza trusts whatever CAs are trusted by WebKit, i.e. by +your GnuTLS installation. If you wish to trust additional certificates, +such as self-signed certificates, the first thing you should do is try +to add the appropriate CAs to your system-wide store. + +If you wish to add simple exceptions, you can grab the certificate and +store it in the directory ~/.config/lariza/certs. The filename must be +equal to the hostname: + + $ echo | openssl s_client -connect foo.de:443 | openssl x509 >foo.de + +This tells lariza to trust the given certificate when connecting to host +"foo.de". + +You can reload these certificates at runtime by pressing the appropriate +hotkey (see above). Note that removed certificates will be kept in +memory until you restart lariza. + +Note: This is NOT equal to certificate pinning. WebKit ignores +user-specified certificates if the server's certificate can be validated +by any system-wide CA. + + +==================== WebKit local storage ==================== |