another issue to fix with the FAS2 switch: Kojis ssl certificate
Till Maas
opensource at till.name
Wed Mar 12 08:29:04 UTC 2008
On Tue March 11 2008, Dennis Gilmore wrote:
> On Tuesday 11 March 2008, Till Maas wrote:
> > How about making the hub (I assume this is only used by automated
> > processes and not manually) listen on a different port than 443? Then the
> > web interface could use the new well know certificate. The automated
> > processes the internal ones, where imho using a own ca does not hurt.
> > Also using a different port should be only a matter of configuring it
> > once.
> > The secondary arch instances could then use a cacert[0] certificate,
> > which are free and are trusted by some browsers already for the web
> > interface.
>
> if we use CACert we would have ship it in the browsers we supply.
> currently no browser shipped with fedora does and if we did such we would
> use it for all services. and would require changes to all users koji
> configs. people who are not using fedora would be in the same situation
> as they are now. AFAIK only CentOS ships browsers with CACerts root cert.
The certificate for the currently used CA is not shipped within Fedora
browsers, too. Otherwise I probably would not have noticed the certificate of
Koji. Thererfore using cacert would be no regression this way.
Btw. is it really needed that the client and server certificates are signed by
the same CA?
The apache docu only mentions in for SSLCACertificateFile only client
authentication:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile
Regards,
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20080312/076d967b/attachment.sig>
More information about the Fedora-infrastructure-list
mailing list