[email protected] wrote:
On Thu, Jun 11, 2009 at 01:32:24PM -0500, Shawn Walker wrote:
More specifically, and I apologise for this, cherrypy doesn't support
certificate chain files (currently) [1].
My understanding is that because cherrypy doesn't support CA
Certificates, clients can't authenticate the server because it doesn't
expose the necessary identity information to the client. However, I
could be wrong, this would require some verification. Could you try
this out?
Thanks for the clarification. I can test this, but my guess is that
you're right. If the server can't send intermediate certificates in the
chain of trust, and the client doesn't have all of the certs, then the
verification may fail. However, this is really a bug in the server.
I'd hesitate to architect a solution that assumes a buggy SSL
implementation. Customers can work around this by disabling SSL, or
putting apache in front of their depot like we do.
If the objection is to arbitrary behavior when a directory isn't
present, I can remove that workaround. I assumed it would be useful for
testing in situations where one has pulled the latest client from the
gate, but hasn't yet installed a client with CA certificates on their
machine.
My primary objection is to the arbitrary behaviour when a directory
isn't present. However, for the same reasons you noted about the CA
certificates, I think the ability to override peer verification
behaviour is necessary.
I'm hesitant to introduce a switch to disable verifying certificates.
Modern web browsers raise a huge stink when users connect to an
untrusted website. I'm incined to take a similar approach. If a user
really wants to connect to a site that's self-signed or untrusted,
perhaps it would be better to have them explictly place the certificate
of the server in their list of per-site trusted certs.
And I absolutely hate that behaviour of modern browsers, such as
FireFox. I can't count how many websites Sun has up, or other
legitimate websites I've been to that I have to go through FireFox's
"your papers please!" page. But do note that FireFox does give you an
escape route, it lets you continue anyway if you explicitly tell it to
do so. For the same reasons, and more, I think we need to do the same
thing.
Cheers,
--
Shawn Walker
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
