On Tue March 11 2008, Dennis Gilmore wrote: > On Tuesday 11 March 2008, Till Maas wrote: > > How about making the hub (I assume this is only used by automated > > processes and not manually) listen on a different port than 443? Then the > > web interface could use the new well know certificate. The automated > > processes the internal ones, where imho using a own ca does not hurt. > > Also using a different port should be only a matter of configuring it > > once. > > The secondary arch instances could then use a cacert certificate, > > which are free and are trusted by some browsers already for the web > > interface. > > if we use CACert we would have ship it in the browsers we supply. > currently no browser shipped with fedora does and if we did such we would > use it for all services. and would require changes to all users koji > configs. people who are not using fedora would be in the same situation > as they are now. AFAIK only CentOS ships browsers with CACerts root cert. The certificate for the currently used CA is not shipped within Fedora browsers, too. Otherwise I probably would not have noticed the certificate of Koji. Thererfore using cacert would be no regression this way. Btw. is it really needed that the client and server certificates are signed by the same CA? The apache docu only mentions in for SSLCACertificateFile only client authentication: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile Regards, Till
Description: This is a digitally signed message part.