On Thu, May 19, 2011 at 7:29 PM, Douglas Hubler <[email protected]> wrote:
> On Thu, May 19, 2011 at 10:27 AM, Mircea Carasel <[email protected]> > wrote: > > With regard to XX-8779 the thing is that sipXconfig certificate authority > > page for uploading certificates rejects non trusted certificates > > (certificates signed by a trusted authority) > > Therefore, self signed certificates does not pass validation and cannot > be > > uploaded > > Is the problem that we have also should be managing authorities too? > That's hard to say. One thing is that the root certificate that is generated at system setup is not signed by a trusted authority, and therefore it is not trusted. As an example, browsers detect the certificate exposed at https://<host>:8443/ and they report that it is not trusted, meaning that is not signed by a trusted authority I think that's fine, I don't think that sipxecs should deal with trusted authorities, and I think that is also fine that sipx to require a trusted certificate if someone wants to upload a new certificate. Hope this answers the question :) > > > So my question is that will it be desirable to remove that additional > > verification (openssl -verify)? > > We want to disallow certs uploads that will cause the system to not > work. As far as I know, uploading a self-signed cert w/o also > installing the self-generated cert authority will break the system. > Right? > I agree, IMO we should keep certificate verification as is in sipXconfig. The most important thing is to define clear steps that should be followed by every user admin to generate certificate and upload through UI The feedback we got from Matthew looks very promising > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ >
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
