[email protected] wrote:
On Thu, Jun 11, 2009 at 01:14:28PM -0500, Shawn Walker wrote:
[email protected] wrote:
On Thu, Jun 11, 2009 at 12:39:25PM -0500, Shawn Walker wrote:
I feel like peer verification has to be under customer control
because the repository requiring the certificate may be their own
and so a CA Cert may not be available for whatever reason.
In this case, the customer has a self-signed certificate and can place
that cert in the site-specific certs directory described in case #2 of
the proposal.
See my other reply about the depot and cherrypy limitations. A CA Cert
may not be possible/supported.
I saw your subsequent comment, but it didn't make sense to me. Somebody
has to sign the server's key. When that somebody is a trusted
third party, we generally refer to the somebody as a Certificate
Authority (CA).
Are you saying that CherryPy uses SSL for encryption but not
authentication? I.e. it doesn't request the client's certificate as
part of the SSL handshake? In that case, I'm still pretty sure that it
has to present its own server certificate. If so, the client
still wants to verify that it trusts the signature on the key in the
server's certificate.
If you have a SSL CherryPy depot set up, or have instructions for how to
do this somewhere, I'd be happy to test the client against it. We can
use those results as a basis for further discussion, if you'd like.
More specifically, and I apologise for this, cherrypy doesn't support
certificate chain files (currently) [1].
My understanding is that because cherrypy doesn't support CA
Certificates, clients can't authenticate the server because it doesn't
expose the necessary identity information to the client. However, I
could be wrong, this would require some verification. Could you try
this out?
Cheers,
--
Shawn Walker
[1]
http://blog.joshnisly.com/2009/01/24/using-godaddy-certificates-with-cherrypy/
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
