Re: [pkg-discuss] Verifying CA certs for SSL depots

Thu, 11 Jun 2009 00:36:28 -0700

Can these pathnames be defined by environment variables so that we can point to other directories on non-OpenSolaris platforms?
Or, since you didn't put a "/" on the front of the paths, are those paths intended to be relative to the image root? In that case, those paths are not very conducive for use within a user image. It would still be nice to be able to define them with env. variables. 

Thanks.
Tom


[email protected] wrote:

Folks,
Stephen asked me to send out a draft of a proposal for handling CA certs
in the pkg client.

Customers that have purchased support use the support repo, which is
HTTPS.  The extras repo is also HTTPS.  The current pkg client uses a
python library that doesn't know how to verify a server's CA
certificate.  As part of the transport work I'm doing, we'll be moving
to a framework where this is possible.  At the present time, OpenSolaris
has no system-wide repository of trusted CA certificates.  We need to
deliver at least one to enable customers to access the support repo.

Until CA management is subsumed by an OpenSolaris wide mechanism, we'd
like to take the following approach:

1. Deliver CA certs approved for use with Sun repositories in
usr/share/pkg/cacert.  They'll be individual PEM files with a CN hash
symlink'd to the PEM file.

2. For users that want to supply their own CA certs, look in
var/pkg/ssl/cacert for additional cert information.

The initial putback will support #1, and we'll tackle #2 as part of
follow-up work.  In order to streamline SSL performance, I'd like to
have a hint in the publisher configuration that the CA cert is
non-default.  This will prevent us from trying to connect in case #1,
failing, and then falling back to using certs in location #2.

-j
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss

  



begin:vcard
fn:Tom Mueller
n:Mueller;Tom
org:Sun Microsystems, Inc.;SWI Install/Update Software
adr:;;21915 Hillandale Dr;Elkhorn;NE;68022;USA
email;internet:[email protected]
title:Senior Staff Engineer
tel;work:877-250-4011
tel;fax:877-250-4011
tel;home:402-916-9943
x-mozilla-html:TRUE
version:2.1
end:vcard


_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss























					Reply via email to