| ▲ | Arnavion 3 days ago | |||||||||||||||||||||||||||||||
This will not work with HPKP but hopefully nothing is using that any more. ( https://en.m.wikipedia.org/wiki/HTTP_Public_Key_Pinning ) It won't work with programs that defensively validate the cert chain but those are rare. It won't work with programs that embed their own root cert store, which is also rare but I would guess less rare than the previous one. The usual reason to do this is to minimize OS deps, and in the case of Docker containers to save on container image size by only including the roots you care about. But yes for the vast majority of programs it should work fine. | ||||||||||||||||||||||||||||||||
| ▲ | adtac 3 days ago | parent [-] | |||||||||||||||||||||||||||||||
Yep, certificate pinning is the one scenario Subtrace can't handle in my experience, but thankfully, it's fairly rare like you said. And IMO there is no general solution to the problem [1], but it's one of those very interesting problems to daydream thinking about when you're stuck in traffic or whatever :) We still try our best by handling as much of the long tail of environments with some library/framework specific workaround (e.g. Deno bundles all TLS certs in its binary so we set the DENO_CERT env var when applicable). | ||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||