[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: another issue to fix with the FAS2 switch: Kojis ssl certificate



On Tue March 11 2008, Dennis Gilmore wrote:
> On Tuesday 11 March 2008, Till Maas wrote:

> > How about making the hub (I assume this is only used by automated
> > processes and not manually) listen on a different port than 443? Then the
> > web interface could use the new well know certificate. The automated
> > processes the internal ones, where imho using a own ca does not hurt.
> > Also using a different port should be only a matter of configuring it
> > once.
> > The secondary arch instances could then use a cacert[0] certificate,
> > which are free and are trusted by some browsers already for the web
> > interface.
>
> if we use CACert we would have ship it in the browsers we supply. 
> currently no browser shipped with fedora does and if we did such we would
> use it for all services.  and would require changes to all users koji
> configs.   people who are not using fedora would be in the same situation
> as they are now. AFAIK only CentOS ships browsers with CACerts root cert.

The certificate for the currently used CA is not shipped within Fedora 
browsers, too. Otherwise I probably would not have noticed the certificate of 
Koji. Thererfore using cacert would be no regression this way.

Btw. is it really needed that the client and server certificates are signed by 
the same CA?
The apache docu only mentions in for SSLCACertificateFile only client 
authentication:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile

Regards,
Till

Attachment: signature.asc
Description: This is a digitally signed message part.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]