> > Webrev lives here: > > > > http://cr.opensolaris.org/~johansen/webrev-2951/ > > The only comment I have is that I'm surprised at the number of places > you have to add the 'if not check_cert_validity(img):' it might be > better to put these checks closer to the SSL transport connection code, > say in 'get_ssl_credentials()'. The reason being that in the future > their could be other remote transports that don't use certificates or > don't use them in the same way.
To be clear, this is really a warning mechanism for customers who have installed a SSL certificate so that they can get access to specific Sun repositories. It's part of allowing us to sell support. Long term, I agree that we'll want to do the validation in or near the SSL transport. One of the many problems with urllib2/httplib in Python is that they don't have any support for verifying the certificates of either the client or the server. Once we can get pyCurl (Python interface to libcurl) integrated, we should be able to do a lot of this in the transport check, and simply switch to emitting a warning if a client certificate is close to expiration. Thanks for taking the time to look at this change. -j _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
