Martin Bartosch wrote:
umm, yes, if it is configured to work so, it will work just like the old script. BTW: an older version of this script has been in test (preproduction) use in my environment for some months now, but we currently do not experience high load on the SCEP interface.
I see no problems to include both scripts and activate the new one if it behaves like the old one.
Martin, you said it is "slower" - acedemic slower or practical slower :)I guess practically, but I haven't performed benchmarks on this. Michael is *very* concerned about performance and the additional latency introduced by the script.
Which Michael? Did you mean me (perhaps you mean another one because I don't follow the track)? I only think about the performance of the normal HTML stuff because this can be used by humans. Machines are usually not so critical and they produce no high load. So SCEP performance is at minimum for me no argument.
But a really bad hack is included to parse the SubjectAltName from the incoming SCEP PKCS#10 request: this is currently not supported by the OpenAC::REQ module, so I had to use the OpenSSL binary for this. This must go away in a later release, but for this I will have to write the stub code in the .xs file for the request parse class.
This is not necessary for 0.9.2 too. OpenSSL.xs includes code to extract the extensions from a PKCS#10 request. You "only" have to add "EXTENSIONS" to @attrlist in parsReq of OpenCA::REQ. After this the extensions are in $csr->getParsed()->{EXTENSIONS}. If you want to preparse the subject_alt_name then you can do it like the X509 module which parses the EXTENSIONS data. ... but can ignore this of course if you stuff is already stable.
If I assume right - my Opinion: make the new scep script the default and keep the old one in the tree as ".old" so that people how absolutely wont update can simply use the old script.I don't favour the idea, but if the other developers agree and positively support this, I will make the necessary modifications to the code to make it fit for 0.9.2.
The only question is how good is the new code tested and how good is the error tracing and debugging code. I checked the utf8 patch now and it is not really intrusive. So we can put both changes into the 0.9.2.3 but I need at minimum two days to adapt the patch because I want to look for the best and seemless integration into 0.9.2's config procedure.
Ives, did you take a look at the new script? I'm actually only a SCEP user no real developer.
Michael -- _______________________________________________________________ Michael Bell Humboldt-Universitaet zu Berlin Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice Fax: +49 (0)30-2093 2704 Unter den Linden 6 [EMAIL PROTECTED] D-10099 Berlin _______________________________________________________________
smime.p7s
Description: S/MIME Cryptographic Signature
