On 10/08/2010 18:48, [email protected] wrote:
A follow on question: is there any legitimate use case where the client wouldn't want to verify the peer's certificate? Prior to this change, if no CA directory was present, the client wouldn't bother to try to verify the server's certificate. If we allow the user to specify a CA directory, should setting the CA directory to None allow the client to forgo the peer verification? (For the record, the current webrev always has the client verifying the peer).
Libraries like libcurl allow for that, but outside of a testing environment I can't see a real need for it. What should work though is the server providing a self-signed cert or a cert chain ending in a self-signed cert - without the nonsense UI that Firefox 3.x puts you though (that doesn't actually help security and just further trains users to click though).
It is easy enough to build your own install images now with the distro constructor so even if your pkg repos are running with a cert signed by a CA not in the ca-certificates package you can still work.
-- Darren J Moffat _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
