* Darren J Moffat <[EMAIL PROTECTED]> [2008-04-09 13:48]: > [EMAIL PROTECTED] wrote: > > We need rudimentary SSL support in the pkg client for our upcoming > > release. This set of changes adds basic SSL support to the client and fixes > > a bunch of other bugs I created in my last few putbacks. > > > > Webrev is available here: > > > > http://cr.opensolaris.org/~johansen/pkg-sslcli/ > > In the man page diffs I saw: > 294 + Although HTTPS servers may validate client SSL certificates, the > 295 + client does not currently validate the server's. > > That pretty much defeats the main reason for doing SSL from the clients > view. The whole point is you need to know that the server you are > connecting to is who you expect to be and the way to do that with SSL is > to verify the presented certificate against your local trust anchors > (this is what your browser does). Yeah, we know.
> It turns out that this weakness isn't in your code but in the underlying > Python module. I think sadly that this means in the longer term a more > to a better HTTP library is going to be needed. Yep. > The client needs a set of trust anchors to verify against and the Python > httplib API doesn't even provide a way to specify that. > > On the other hand it is really really nice to see support for client > side certs being provided. Out of scope for this codereview but by the > time this integrates into Solaris we ideally want to have the client key > stored in a PKCS#11 accessible keystore (see encrypt(1), pktool(1) etc). > I wouldn't TCR in an ARC review but I would consider a TCA. (I read pktool(1) fairly carefully last week, and ended up with a bunch of questions, so went with just paths for now.) The next step for SSL support is to examine some of the alternative Python libraries that offer HTTP/HTTPS/etc. This review would have to be done in the context of how it might impact the retrieval/submission layer. (Danek's initial investigations into timeout and Dan's into progress tracking show that there's a fair bit of implementation design impact here...) - Stephen -- [EMAIL PROTECTED] http://blogs.sun.com/sch/ _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
