[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Making CA certificate available over http, __default__ rewrites

On Wed, Jul 10, 2013 at 04:41:21PM -0400, Brenton Leanhardt wrote:
> >
> >in an effort to stop using curl -k and rhc -k when talking to broker,
> >I thought it'd be nice if broker had a well-known location of its CA
> >certificate.
> This isn't to solve a security concern, right?  You just want to avoid
> using -k?

Yes. And use --cacert instead (for curl) or put the CA cert to a
bundle, on the client.

> Personally, I prefer for clients to understand clearly that they are
> using untrusted connections.

They will, nothing is changing. I just thought "I should have the CA
certificate on the client -- where do I take it from?".

> Your points about ensuring that Brokers and Nodes don't own the whole
> apache context is certainly valid though.  I'm sure we can improve
> something there.  Please open a bug when you have a specific example
> you need to get working and we'll take care of it.

OK, thank you.

Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]