-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jim Fulton wrote:
> 
> I'll probably reveal my ignorance of SSL here, but it is worrisome to me
> that we distribute a PEM file that contains a default server key and
> certificate.  This seems like an exceedingly bad idea.

It is.

> We also distribute a private key to be used for sftp.  (Shouldn't there
> be a corresponding public key?)  This seems like a very bad idea too.

Keys should be generated inside 'mkzopeinstance.py', never shipped.  We
should probably add scripts for (re)doing the generation, as well.

> The good news is that neither are these are enabled by default, however,
> there are commented examples in the configuration file with comments
> blithely telling people to uncomment them to get HTTPS or SFTP support,
> using public "private" keys.
> 
> Am I missing something?

I don't think so.  I didn't realize that we were shipping them at all.
Are the shipped certs part of Twisted?  In that case, we need to report
this as an upstream bug.

> BTW, are there tests of the HTTPS and SFTP support?

No se.  Remove the code and see what breaks ;).


Tres.
- --
===================================================================
Tres Seaver          +1 202-558-7113          [EMAIL PROTECTED]
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFMbFo+gerLs4ltQ4RAhWDAJ9fEynyLnvY3OJjaWIyrzf9AVliBQCfatGh
n802vxTRnPwfpG9W+2AHI48=
=1OnO
-----END PGP SIGNATURE-----

_______________________________________________
Zope3-dev mailing list
Zope3-dev@zope.org
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to