Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: <bp@www.zefox.net>
Newsgroups: comp.sys.raspberry-pi
Subject: Re: Chromium and self-signed certificates
Date: Sat, 7 Sep 2024 01:39:00 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 29
Message-ID: <vbgark$10tpi$1@dont-email.me>
References: <v9g9tq$14v2$1@dont-email.me> <wwvfrr72n8d.fsf@LkoBDZeT.terraraq.uk> <v9lbmq$115gc$1@dont-email.me> <vatpki$n4it$1@dont-email.me> <vb092o$162j5$9@dont-email.me> <vb0dcd$17650$2@dont-email.me> <vb164i$1dlt4$11@dont-email.me> <vb24nq$1huca$2@dont-email.me> <wwvfrqjns88.fsf@LkoBDZeT.terraraq.uk> <vb2r25$1lgo8$1@dont-email.me> <vb3cbc$1r1t9$8@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Sat, 07 Sep 2024 03:39:01 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="bb265062280f09bf15ac9c83afc47fe3";
	logging-data="1079090"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX19dU0CA3NDW1imR0SEZDgQf+kXz7v0ZNb4="
User-Agent: tin/2.6.2-20221225 ("Pittyvaich") (FreeBSD/14.0-RELEASE-p9 (arm64))
Cancel-Lock: sha1:BsPzvwAqHlUTaNoctvIzAWh0Sd8=
Bytes: 2613

Lawrence D'Oliveiro <ldo@nz.invalid> wrote:
> On Sun, 1 Sep 2024 22:49:42 -0000 (UTC), bp wrote:
> 
>> Are the certificates and keys the same between SSH and TLS?
> 
> The basic encryption algorithms may be the same, but the usage is a little 
> different. SSH has no concept of “certificates”, only of “host keys” 
> versus “user keys”. Each key is of course actually a key pair, consisting 
> of a public key (freely redistributable, but recipients need to be sure 
> they get them from a trusted source) and a corresponding private key 
> (never to be disclosed to anybody else).
> 
> There is a file in your SSH client config called “known_hosts”, which 
> contains the public host keys of all the hosts you’ve previously connected 
> to; this is used to guard against somebody trying to impersonate any of 
> those hosts when you next try to connect.

I was confusing host keys and server certificates. One more puzzle down.

Your scripts seem to work on both FreeBSD and RasPiOS. Now to see if
I can stumble through making them work between _between_ FreeBSD and
RasPiOS. One obvious question is setting the "listen_addr" in the 
try_server script. Can it be set to "any" or a range by IP or FQEN?
A list would be fine, I have only eight addresses total.
 
Thank you!

bob prohaska