On Tue, Aug 10, 2010 at 06:56:14PM +0100, Darren J Moffat wrote: > On 10/08/2010 18:48, [email protected] wrote: > >A follow on question: is there any legitimate use case where the > >client wouldn't want to verify the peer's certificate? Prior to this > >change, if no CA directory was present, the client wouldn't bother to > >try to verify the server's certificate. If we allow the user to specify > >a CA directory, should setting the CA directory to None allow the client > >to forgo the peer verification? (For the record, the current webrev > >always has the client verifying the peer). > > Libraries like libcurl allow for that, but outside of a testing > environment I can't see a real need for it. What should work though > is the server providing a self-signed cert or a cert chain ending in > a self-signed cert - without the nonsense UI that Firefox 3.x puts > you though (that doesn't actually help security and just further > trains users to click though).
This works as long as the self-signed cert is in the CA directory. I'm assuming that's sufficient for this case, no? > It is easy enough to build your own install images now with the > distro constructor so even if your pkg repos are running with a cert > signed by a CA not in the ca-certificates package you can still > work. Could you clarify what you mean here? At first I thought you were suggesting that we accept a CA that's not in the trusted CA directory, but I don't think that's what you mean. Thanks, -j _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
