How can I provide my own list of CA-certificates for TLS-connections from within a Add-On
I'm considering writing an Add-On that does a DNSSEC/DANE lookup.
My scenario is that a DNSSEC query for the TLSA (DANE) records of a site return a full Root Certificate for a site. (2,0,0 in DANE jargon.)
I want to create new TLS context with a CA-pool containing just that Certificate, so that when I browse to the site, the TLS-layer verifies the site certificate against the DNSSEC-specified Root CA.
My question: how do I program that in an add on? How can I specify a *certain* CA root certificate before opening the connection.
Wšykne wótegrona (1)
Replying to myself to add some more information.
For doing the DNSSEC-DANE lookup, I use a strategy as pioneered by the DNSSEC validation Add On.
My question is how to create a TLS-connection context with a certain Root CA before connection to the site.