Stephen Hahn wrote: > * Shawn Walker <[email protected]> [2008-12-17 03:59]: >> Greetings, >> >> The following webrev contains changes to implement the following RFEs: >> >> 2154 pkg.depotd should offer SSL/HTTPS option >> >> webrev: >> http://cr.opensolaris.org/~swalker/pkg-2154/ > > Most of my questions are around what you see happening next. > > 1. What portions of the SSL exchange environment are now available to > the request object? How are they accessed?
I assume you're talking about the SSL environment related variables. Most of them can be accessed via cherrypy.request.wsgi_environ. Here's a sample dump of the related SSL variables that are available: 'SSL_SERVER_I_DN_CN': 'Shawn Walker' 'SSL_SERVER_I_DN_C': 'US' 'SSL_SERVER_I_DN': '/C=US/ST=Kansas/L=Overland Park/O=pkg(5)/CN=Shawn Walker/[email protected]' 'SSL_SERVER_I_DN_emailAddress': '[email protected]' 'SSL_SERVER_I_DN_L': 'Overland Park' 'SSL_SERVER_I_DN_O': 'pkg(5)' 'SSL_SERVER_I_DN_ST': 'Kansas' 'SSL_SERVER_M_SERIAL': 15003531686780739401L 'SSL_SERVER_M_VERSION': 0 'SSL_SERVER_S_DN_CN': 'zorander' 'SSL_SERVER_S_DN_C': 'US' 'SSL_SERVER_S_DN': '/C=US/ST=Kansas/L=Overland Park/O=pkg(5)/CN=zorander/[email protected]' 'SSL_SERVER_S_DN_emailAddress': '[email protected]' 'SSL_SERVER_S_DN_L': 'Overland Park' 'SSL_SERVER_S_DN_O': 'pkg(5)' 'SSL_SERVER_S_DN_ST': 'Kansas' Access to SSL_CIPHER, SSL_VERSION_INTERFACE, SSL_VERSION_LIBRARY, SSL_SERVER_V_START, SSL_SERVER_V_END are not provided by cherrypy apparently due to a limitation of pyOpenSSL. > 2. How do you envision this feature being supported if we wanted to > host two repositories within one depotd instance? Currently, you can't, due to cherrypy itself. They hope to address this in a future release [1]. > 3. How do you see CA chains fitting into your configuration? cherrypy doesn't currently support this, although it is being discussed [1]. > 4. What's the impact on client authentication? Do you intend to > offer client authentication, or would you just expect the data > mentioned in #1 above to come into play? No impact on client authentication as far as I know; I hadn't planned on making any further modifications for this unless they were done as part of bug 2153 or another RFE. I don't know enough about SSL authentication to adequately answer your question. My primary focus for this bug was just to make it possible to serve a depot via SSL. > 5. I suppose I'd like to see an option to retrieve the SSL > certificate password from a read_authorization-protected property > group in the configuration. I'll look into what is required and get back to you or post an updated webrev. Cheers, -- Shawn Walker [1] http://groups.google.com/group/cherrypy-users/browse_thread/thread/dc2c2164bc741202/085a9f2edc920b24?lnk=gst&q=serve+https+and+http&fwc=1 _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
