Hacker News new | ask | show | jobs
by jefftk 1332 days ago
You can still use a self-signed cert with HTTP3 (including rightly scary warnings for visitors) or you can make your own CA and distribute the cert (no scary warnings when people visit your site).
1 comments
mistrial9 1332 days ago
I will believe this when I see it, thank you

the zealous "you must obey the law" tone of SOME comments here reinforces the worst stereotypes of corporate apparats.. individuals doing the bidding of institutions based on the letter of their "laws"

Human history has shown again and again that this ends badly .. HTTP is OK with ME

link
jefftk 1332 days ago
> I will believe this when I see it, thank you

I'm on my phone so I can't confirm this is http3, but how about https://self-signed.badssl.com/

link
mistrial9 1332 days ago
ok

    $ curl -v https://self-signed.badssl.com/
    *   Trying 104.154.89.105:443...
    * Connected to self-signed.badssl.com (104.154.89.105) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    *  CAfile: /etc/ssl/certs/ca-certificates.crt
    *  CApath: /etc/ssl/certs
    * TLSv1.0 (OUT), TLS header, Certificate Status (22):
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.2 (IN), TLS header, Certificate Status (22):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS header, Certificate Status (22):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (OUT), TLS header, Unknown (21):
    * TLSv1.2 (OUT), TLS alert, unknown CA (560):
    * SSL certificate problem: self-signed certificate
    * Closing connection 0
    curl: (60) SSL certificate problem: self-signed certificate
    More details here: 
    https://curl.se/docs/sslcerts.html
"curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above."

    $ curl --version
    curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.13
    Release-Date: 2022-01-05
    Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
    Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd
link
benmmurphy 1332 days ago 

        curl -kv https://self-signed.badssl.com/
        *   Trying 104.154.89.105:443...
        * TCP_NODELAY set
        * Connected to self-signed.badssl.com (104.154.89.105) port 443 (#0)
        * ALPN, offering http/1.1
        * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
        * successfully set certificate verify locations:
        *   CAfile: /opt/local/share/curl/curl-ca-bundle.crt
        CApath: none
        * TLSv1.2 (OUT), TLS header, Certificate Status (22):
        * TLSv1.2 (OUT), TLS handshake, Client hello (1):
        * TLSv1.2 (IN), TLS handshake, Server hello (2):
        * TLSv1.2 (IN), TLS handshake, Certificate (11):
        * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
        * TLSv1.2 (IN), TLS handshake, Server finished (14):
        * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
        * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
        * TLSv1.2 (OUT), TLS handshake, Finished (20):
        * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
        * TLSv1.2 (IN), TLS handshake, Finished (20):
        * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
        * ALPN, server accepted to use http/1.1
        * Server certificate:
        *  subject: C=US; ST=California; L=San Francisco; O=BadSSL; CN=*.badssl.com
        *  start date: Aug 12 15:59:10 2022 GMT
        *  expire date: Aug 11 15:59:10 2024 GMT
        *  issuer: C=US; ST=California; L=San Francisco; O=BadSSL; CN=*.badssl.com
        *  SSL certificate verify result: self signed certificate (18), continuing anyway.
        > GET / HTTP/1.1
        > Host: self-signed.badssl.com
        > User-Agent: curl/7.65.1
        > Accept: */*
        > 
        * Mark bundle as not supporting multiuse
        < HTTP/1.1 200 OK
        < Server: nginx/1.10.3 (Ubuntu)
        < Date: Fri, 21 Oct 2022 18:41:58 GMT
        < Content-Type: text/html
        < Content-Length: 502
        < Last-Modified: Fri, 12 Aug 2022 15:59:21 GMT
        < Connection: keep-alive
        < ETag: "62f678d9-1f6"
        < Cache-Control: no-store
        < Accept-Ranges: bytes
        <
link
mistrial9 1332 days ago
yes minus-k says "less checking, generally proceed" but does it remember that certificate? maybe not
link
jefftk 1332 days ago
I wouldn't want curl to remember the exception. It's not like a browser: just because I'm currently testing a site with -k does not mean I never want it to perform the normal careful checks.
link
nl 1332 days ago
This seems like it... works exactly as intended?

If you decide you trust that certificate (which can be a legitimate thing to do - the cert signature could be communicated to you via out-of-band trusted mechanisms) then https://curl.se/docs/sslcerts.html explains how to trust it.

link
jefftk 1332 days ago
Among other things that's saying it's a self-signed cert and can do HTTP2. So that Chrome on my phone will connect to it does confirm that you can do self-signed certs with HTTP2 at least.
link
nrb 1332 days ago
> HTTP is OK with ME

How do you propose to secure user sessions and prevent MITM or tracking otherwise?

link
bombcar 1332 days ago
That battle is mostly lost anyway - the web is what Google and Apple let you see for the most part for most users.
link
mistrial9 1332 days ago
I encourage you to take solace in stories of courage and invention at this challenging time in history.
link