* Darren J Moffat <[EMAIL PROTECTED]> [2008-04-09 13:48]:
> [EMAIL PROTECTED] wrote:
> > We need rudimentary SSL support in the pkg client for our upcoming
> > release.  This set of changes adds basic SSL support to the client and fixes
> > a bunch of other bugs I created in my last few putbacks.
> > 
> > Webrev is available here:
> > 
> > http://cr.opensolaris.org/~johansen/pkg-sslcli/
> 
> In the man page diffs I saw:
> 294 +  Although HTTPS servers may validate client SSL certificates, the
> 295 +  client does not currently validate the server's.
> 
> That pretty much defeats the main reason for doing SSL from the clients 
> view.  The whole point is you need to know that the server you are 
> connecting to is who you expect to be and the way to do that with SSL is 
> to verify the presented certificate against your local trust anchors 
> (this is what your browser does).
 
  Yeah, we know.

> It turns out that this weakness isn't in your code but in the underlying 
> Python module.  I think sadly that this means in the longer term a more 
> to a better HTTP library is going to be needed.
 
  Yep.

> The client needs a set of trust anchors to verify against and the Python 
> httplib API doesn't even provide a way to specify that.
> 
> On the other hand it is really really nice to see support for client 
> side certs being provided.  Out of scope for this codereview but by the 
> time this integrates into Solaris we ideally want to have the client key 
> stored in a PKCS#11 accessible keystore (see encrypt(1), pktool(1) etc). 
>   I wouldn't TCR in an ARC review but I would consider a TCA.

  (I read pktool(1) fairly carefully last week, and ended up with a
  bunch of questions, so went with just paths for now.)

  The next step for SSL support is to examine some of the alternative
  Python libraries that offer HTTP/HTTPS/etc.  This review would have to
  be done in the context of how it might impact the retrieval/submission
  layer.  (Danek's initial investigations into timeout and Dan's into
  progress tracking show that there's a fair bit of implementation
  design impact here...)

  - Stephen

-- 
[EMAIL PROTECTED]  http://blogs.sun.com/sch/
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss

Reply via email to