[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Making CA certificate available over http, __default__ rewrites

+++ Jan Pazdziora [11/07/13 10:34 +0200]:
On Wed, Jul 10, 2013 at 04:41:21PM -0400, Brenton Leanhardt wrote:
>in an effort to stop using curl -k and rhc -k when talking to broker,
>I thought it'd be nice if broker had a well-known location of its CA

This isn't to solve a security concern, right?  You just want to avoid
using -k?

Yes. And use --cacert instead (for curl) or put the CA cert to a
bundle, on the client.

Personally, I prefer for clients to understand clearly that they are
using untrusted connections.

They will, nothing is changing. I just thought "I should have the CA
certificate on the client -- where do I take it from?".

Am I misunderstanding your suggestion?  Are you wanting to serve the
CA only for your installation of OpenShift or are you suggesting this
become the standard for Origin?

The change that worries me is that some may think that is secure and
clients will be written that first fetch the server certificate from
the server and then use it for a 'trusted' connection.

I want to make the former work, but I'm cautious about the latter.

FWIW, http://curl.haxx.se/docs/sslcerts.html mentions how you can use
'openssl s_client'.  It's definitely not as convenient as fetching a
file though.


Your points about ensuring that Brokers and Nodes don't own the whole
apache context is certainly valid though.  I'm sure we can improve
something there.  Please open a bug when you have a specific example
you need to get working and we'll take care of it.

OK, thank you.

Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]