On Mon, Nov 15, 2010 at 11:30 PM, Matt Robinson <[email protected]> wrote:
> On Mon, Nov 15, 2010 at 2:59 PM, Sandor Szuecs > <[email protected]> wrote: > >> Wouldn't this be using Puppet's CA cert to try to > >> validate connections to wherever you're getting the dmg? > > > > I think the use case of the pkgdmg provider is to use a local site, so > > it is ok to use puppet's CA, or am I missing something? > > I may also be missing something, but I thought that the provider could > use any site that serves up dmg's over http, so in that case using > puppet's CA doesn't make sense. Perhaps someone more familiar with > how this provider is used could weigh in (Nigel?). > I see the need to verify the server certificate, and I think it's clever to re-use the puppet certificates since it is something the puppet agent has a trust anchor for and a certificate is already issued. However, with the current documented behavior of the pkgdmg provider, this patch probably doesn't match the expectation of most people. If a web server with a valid certificate signed by Verisign or Thawte or something hosts the dmg file, then this patch would throw a warning and fall back to no validation. Would it be possible to add 2 checks, one using the default x.509 anchors, then fall back to trying the puppet certificate, then fall back to insecure? Alternatively, I'd +1 this patch if it contained a change to the inline documentation string describing the behavior of using the puppet CA bundle to verify the server certificate, rather than the default curl bundle. -- Jeff McCune http://www.puppetlabs.com/ -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
