-----BEGIN PGP SIGNED MESSAGE-----
Jim Fulton wrote:
> I'll probably reveal my ignorance of SSL here, but it is worrisome to me
> that we distribute a PEM file that contains a default server key and
> certificate. This seems like an exceedingly bad idea.
> We also distribute a private key to be used for sftp. (Shouldn't there
> be a corresponding public key?) This seems like a very bad idea too.
Keys should be generated inside 'mkzopeinstance.py', never shipped. We
should probably add scripts for (re)doing the generation, as well.
> The good news is that neither are these are enabled by default, however,
> there are commented examples in the configuration file with comments
> blithely telling people to uncomment them to get HTTPS or SFTP support,
> using public "private" keys.
> Am I missing something?
I don't think so. I didn't realize that we were shipping them at all.
Are the shipped certs part of Twisted? In that case, we need to report
this as an upstream bug.
> BTW, are there tests of the HTTPS and SFTP support?
No se. Remove the code and see what breaks ;).
Tres Seaver +1 202-558-7113 [EMAIL PROTECTED]
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v126.96.36.199 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Zope3-dev mailing list