Juan Hernandez has posted comments on this change. Change subject: vdsm-reg: use web server CA extracted from SSL handshake ......................................................................
Patch Set 3: The old behaviour is as secure as this one, as there is no verification of the SSL handshake used to get the CA certificate, only of the fingerprint of the resulting certificate, so downloading it with plain HTTP or from the SSL handshake is equally secure (this is a chicken-egg problem). The big benefit of your proposal is that you get the actual CA certificate used to sign the server certificate, no matter how it has been tweaked, but security is not better (nor worse). What is important is that the registration process should work without SSL as well as with SSL, as many environments need that. Development is just one example, unless you want to convince/force all developers that they should setup SSL. Testing is another area where one should be able to work with SSL enabled or disabled, performance testing in particular. To be honest I don't know if we have ever tested node registration without SSL, but I think it should work, I would appreciate if you can verify this during your verification of the change. In fact registration without SSL should just ignore the result of the "getRhevmCert" method, or even skip the call completely. -- To view, visit http://gerrit.ovirt.org/8386 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Iab8727a167de19ac66712309868654ae00c9bf4d Gerrit-PatchSet: 3 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Alon Bar-Lev <[email protected]> Gerrit-Reviewer: Alon Bar-Lev <[email protected]> Gerrit-Reviewer: Dan Kenigsberg <[email protected]> Gerrit-Reviewer: Doron Fediuck <[email protected]> Gerrit-Reviewer: Juan Hernandez <[email protected]> _______________________________________________ vdsm-patches mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
