Re: [pkg-discuss] Clarification about SSL origins and mirrors

Wed, 16 Dec 2009 09:54:56 -0800 

Michal Pryc wrote:

On 12/16/09 04:22 PM, Shawn Walker wrote:

Michal Pryc wrote:
I believe this is implemented, so I really need clarifications what is wrong/missing. The below scenarios allows to mix http/https URLs for origins and mirrors and prevents the addition of http URLs when SSL Cert/Key info is defined. 


------------------------
SCENARIO 1
------------------------
SYSTEM CONFIGURATION:
      Configured publishers:
        INSECURE (non ssl)

      Origins for the SECURE:
        http://origin1


Is the above supposed to be https?


No, The original Origin is http://origin1 as this is NON SSL publisher 
and we are adding another SSL origin to this publisher (mixing ssl/non 
ssl is allowed)


...


USER ACTION:
  User adding another origin SECURE.
   -> User types the SSL Key
   -> User types the SSL Cert
   -> User types origin WITH https
   -> User clicks Add origin
   -> User clicks OK in the modify publishe dialog

RESULT:
  Origin added succesfully



I'm a little confused here.  When they are adding a 'SECURE' origin to 
an existing publisher or are they adding a new publisher with a 
'SECURE' origin?

They are adding SECURE origin to an existing NON SECURE publisher 
(mixing is allowed as you wrote and the only thing which is not allowed 
is the "prevent the addition of http URLs if SSL Cert/Key info is 
defined", but as I understood vice-versa works, otherwise how the users 
would mix SSL/NON-SSL). This is also working from the command line, so I 
don't think GUI should be different.


Can you layout this specific case a bit more explicitly?


The CLI does not allow a user to add an SSL origin to a publisher that 
has http origins with Key/Cert information:



$ pkg image-create -p webstack=http://pkg.opensolaris.org/webstack 
/tmp/image


$ export PKG_IMAGE=/tmp/image


$ pkg set-publisher -g https://pkg.opensolaris.org/webstack --no-refresh 
-k /var/pkg/ssl/OpenSolaris_extras.key.pem -c 
/var/pkg/ssl/OpenSolaris_extras.certificate.pem webstack


pkg set-publisher: 'ssl_cert' is not supported for 'http'.

--
Shawn Walker
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss






















					Reply via email to