Folks, Stephen asked me to send out a draft of a proposal for handling CA certs in the pkg client.
Customers that have purchased support use the support repo, which is HTTPS. The extras repo is also HTTPS. The current pkg client uses a python library that doesn't know how to verify a server's CA certificate. As part of the transport work I'm doing, we'll be moving to a framework where this is possible. At the present time, OpenSolaris has no system-wide repository of trusted CA certificates. We need to deliver at least one to enable customers to access the support repo. Until CA management is subsumed by an OpenSolaris wide mechanism, we'd like to take the following approach: 1. Deliver CA certs approved for use with Sun repositories in usr/share/pkg/cacert. They'll be individual PEM files with a CN hash symlink'd to the PEM file. 2. For users that want to supply their own CA certs, look in var/pkg/ssl/cacert for additional cert information. The initial putback will support #1, and we'll tackle #2 as part of follow-up work. In order to streamline SSL performance, I'd like to have a hint in the publisher configuration that the CA cert is non-default. This will prevent us from trying to connect in case #1, failing, and then falling back to using certs in location #2. -j _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
