Hello!
On Thu, Mar 24, 2016 at 1:04 PM, Mark Moseley wrote:
> I've seen where my lookup succeeds but then something else fails along the
> way (malformed cert, cert/key mismatch, etc -- we're talking about thousands
> of certs and support agents don't always get it right), and I don't find out
> till after ssl.clear_certs() is called.
>
> Maybe if there was a call to get the current cert and the current key (or
> have an optional 3rd and 4th return value for ssl.clear_certs() that returns
> the cleared cert and key, respectively), then if either ssl.set_der_cert or
> ssl.set_der_priv_key fails, you can reset the connection to the previously
> cleared cert/key.
Seems like you should instead *verify* your untrusted certificate and
key pairs before overriding the default ones?
Regards,
-agentzh