On Thu, Apr 19, 2012 at 08:23, Marcus Meissner <meissner@suse.de> wrote:
osc asks to store such a certificate in its local cert store when it is not signed by any of the known root-CAs.
Ah, thank you very much! With a reasonably current version of osc (verified with 0.132.5 and 0.134.1) this works indeed (the certificate will be stored in ~/.config/osc/trusted-certs/${hostname}_${port}.pem). When I last tested this back around December, osc just tracebacked on me and I had to look into the m2crypto error message to find out that the communication failed because the certificate was untrusted (although I'm unsure what the precise SSL error was).
However it needs to fulfil some basic requirements like a matching hostname ;)
Yes that's true, my point was it failed *before* the hostname check for me, and I assumed it was still unfixed. Should have checked first, but I don't set up new OBSs that often. (; On Thu, Apr 19, 2012 at 10:08, Adrian Schröter <adrian@suse.de> wrote:
Am Mittwoch, 18. April 2012, 22:51:47 schrieb 686f6c6d:
Given the fact that creating a selfsigned certificate is part of README.SETUP, I strongly agree that this should be documented and/or fixed. AFAICT, the docs as they're now are only useful if you avoid SSL altogether or have a trusted CA.
since osc and web browsers usually do store the initial CA it is still usefull to detect attacks later.
I think an explenation how to create official CA's is too much for our doku, but we could add a link how to proceed on that.
Sorry, I didn't make myself clear. What I meant was that it should be possible to use osc with a selfsigned certificate, which obviously works now. (A documentation pointer on how to get m2crypto or the whole oS to trust the certificate would be nice, but isn't what I meant. I just wanted osc to work for the newbie -- me -- that installs from the official docs.) -- Kind regards 686f6c6d / Christopher 'm4z' Holm -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org