Forum Feature requests

CA Bundle support (and documentation)

weswinham
We use a cert signed by godaddy, which is for some reason not included in the prince cert bundle (which I didn't realize existed until stumbling across a thread that mentioned it). The support for certificate management in Prince is pretty rough right now, but there are a few straightforward things that I think could vastly improve it (so that nobody else has to spend all day debugging curl versions and ca bundles and openssl and wading through forums):

1. Add an --insecure option if someone just wants to ignore SSL security for testing or whatever reason (just passing that option to curl)
2. Document the --ssl-ca-certificate option
3. Add an option to specify a CAbundle (just like curl does)
4. Document the location of the included prince ca bundle so that we know what to customize if we need

Also, is there some other support method other than the forums for license-holders? I feel like my day probably could have been saved by someone who knew about the prince ca bundle, but I wasn't sure the best contact method to debug my problem (which included some stuff it'd probably be best not to post on a public forum). Maybe I'm missing something on the website?

thanks
-Wes
mikeday
Hi Wes, thanks for the detailed comments!

1. There is an undocumented Prince option, --ssl-blindly-trust-server, which does exactly what is says. However, --insecure is a much better name for this option! We will add this to the next release, and document it.

2. Done, it's now listed here, and will be included in the output of --help in the next release.

3. How would this be different to the --ssl-ca-cert option?

4. Will do!

Please feel free to email me (mikeday@yeslogic.com) for any issues that you feel are not appropriate for discussion on the forum.
weswinham
1. There is an undocumented Prince option, --ssl-blindly-trust-server, which does exactly what is says. However, --insecure is a much better name for this option! We will add this to the next release, and document it.


Perfect. --insecure is the name curl gives to that option, so it seems solid for consistency.

2. Done, it's now listed here, and will be included in the output of --help in the next release.


Awesome :)

3. How would this be different to the --ssl-ca-cert option?


Sorry I wasn't clear there. I meant that the option should allow you to add a CA certificate directory, similary to cURL's --capath directive ( http://curl.haxx.se/docs/manpage.html ). For my particular issue, I replaced the bundle in the prince/etc directory and that works just fine, but for other use cases I could see people wanting to just tell prince to use their /etc/ssl/certs directory or some other directory.

4. Will do!


Thanks.

We really appreciate your quick response and thanks for the heads up on the --ssl-blindly-trust-server option (which I'll be using for testing in the future).
mikeday
Oh I see, it's --capath vs. --cacert. We can add this option to the next release.
pkmiec
I just run into the same problem with GoDaddy CA. The --ssl-blindly-trust-server is exactly what I need.

These forums are really useful. Thanks for your continuing support excellence.
mikeday
We've now released Prince 7.0, which includes the --ssl-cacert, --ssl-capath, and --insecure command-line options for managing SSL usage, similarly to the way curl works.