On 07/27/11 13:44, Amol Chiplunkar wrote:
On 07/27/11 13:00, Erik Trauschke wrote:
On Wed, 2011-07-27 at 10:32 -0700, Amol Chiplunkar wrote:
On 7/27/2011 10:16 AM, Erik Trauschke wrote:
On Wed, 2011-07-27 at 09:53 -0700, Amol Chiplunkar wrote:
Well, do your certs have the CNs properly set?
How do I ensure that ?
I am not even setting the CNs on the client side, just obtaining the
cert via openssl
I suggest you look up how to do client cert verification in apache in
general.
oh wait..
So when pkg runs, is it trying to just verify the server ( by
validating it's cert )
or is it trying to request the webserver to authenticate it as a
client ?
My understanding is it's the former ( just trying to validate the cert )
Both is happening. The client is verifying the servers cert against it's
stored CA certs. The server is verifying the cert the client presents to
it to verify if the user is allowed to have access to this location.
I see.
I don't know what you are trying to achieve but if you just want to have
SSL-protected pkg transfers you don't need client verification.
That's exactly what I am trying to do.
Basically I am trying to use (the reverse proxy) Apache's secure ssl
port to route the pkg downloads.
If I use the http port, it works now. But doesn't work when I use the
https.
Do you mean I either need to use approve-ca-cert or -c <cert-file> ?
Or
Somehow disable the client cert check ( either on the pkg side or on the
apache ) ?
If you just want to perform SSL-based transfers, you don't need to
supply a certificate to the client at all.
Just provide it to Apache and the client will handle the rest (assuming
it's not a self-signed cert).
-Shawn
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
