Re: [pkg-discuss] Clarification about SSL origins and mirrors

Wed, 16 Dec 2009 14:11:49 -0800 

Michal Pryc wrote:

On 16/12/2009 18:54, Shawn Walker wrote:

Michal Pryc wrote:

On 12/16/09 04:22 PM, Shawn Walker wrote:

Michal Pryc wrote:
I believe this is implemented, so I really need clarifications what is wrong/missing. The below scenarios allows to mix http/https URLs for origins and mirrors and prevents the addition of http URLs when SSL Cert/Key info is defined. 


------------------------
SCENARIO 1
------------------------
SYSTEM CONFIGURATION:
      Configured publishers:
        INSECURE (non ssl)

      Origins for the SECURE:
        http://origin1


Is the above supposed to be https?


No, The original Origin is http://origin1 as this is NON SSL 
publisher and we are adding another SSL origin to this publisher 
(mixing ssl/non ssl is allowed)


...


USER ACTION:
  User adding another origin SECURE.
   -> User types the SSL Key
   -> User types the SSL Cert
   -> User types origin WITH https
   -> User clicks Add origin
   -> User clicks OK in the modify publishe dialog

RESULT:
  Origin added succesfully



I'm a little confused here.  When they are adding a 'SECURE' origin 
to an existing publisher or are they adding a new publisher with a 
'SECURE' origin?

They are adding SECURE origin to an existing NON SECURE publisher 
(mixing is allowed as you wrote and the only thing which is not 
allowed is the "prevent the addition of http URLs if SSL Cert/Key 
info is defined", but as I understood vice-versa works, otherwise how 
the users would mix SSL/NON-SSL). This is also working from the 
command line, so I don't think GUI should be different.


Can you layout this specific case a bit more explicitly?


The CLI does not allow a user to add an SSL origin to a publisher that 
has http origins with Key/Cert information:

Shawn,

So how is it possible to mix SSL/Non SSL origins and mirrors as you 
requested? We are allowing this, but if there is any error coming from 



Because you don't have to define Key/Cert information if you use https. 
 While its true that we require it for the extra repo, a Key/Cert is 
*not* required for https.



the api, of course it will be shown, so the GUI will not allow at the 
end to add such origin.



I don't know if the API throws an error; I doubt it.  This is more of a 
client policy at the moment.  The reason that the client doesn't allow 
you to do it is because I believe the transport will try to apply 
Key/Cert info to all origins and mirrors.


--
Shawn Walker
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss






















					Reply via email to