Mailinglist Archive: opensuse-buildservice (205 mails)

< Previous Next >
Re: [opensuse-buildservice] OBS 1.3 Privately signed certificate and osc
On Thu, Apr 19, 2012 at 08:23, Marcus Meissner <meissner@xxxxxxx> wrote:

osc asks to store such a certificate in its local cert store when
it is not signed by any of the known root-CAs.

Ah, thank you very much!
With a reasonably current version of osc (verified with 0.132.5 and
0.134.1) this works indeed (the certificate will be stored in
~/.config/osc/trusted-certs/${hostname}_${port}.pem).
When I last tested this back around December, osc just tracebacked on
me and I had to look into the m2crypto error message to find out that
the communication failed because the certificate was untrusted
(although I'm unsure what the precise SSL error was).

However it needs to fulfil some basic requirements like a matching
hostname ;)

Yes that's true, my point was it failed *before* the hostname check
for me, and I assumed it was still unfixed. Should have checked first,
but I don't set up new OBSs that often. (;


On Thu, Apr 19, 2012 at 10:08, Adrian Schröter <adrian@xxxxxxx> wrote:
Am Mittwoch, 18. April 2012, 22:51:47 schrieb 686f6c6d:
Given the fact that creating a selfsigned certificate is part of
README.SETUP, I strongly agree that this should be documented and/or
fixed.
AFAICT, the docs as they're now are only useful if you avoid SSL
altogether or have a trusted CA.

since osc and web browsers usually do store the initial CA it is still
usefull to detect attacks later.

I think an explenation how to create official CA's is too much for our
doku, but we could add a link how to proceed on that.

Sorry, I didn't make myself clear. What I meant was that it should be
possible to use osc with a selfsigned certificate, which obviously
works now. (A documentation pointer on how to get m2crypto or the
whole oS to trust the certificate would be nice, but isn't what I
meant. I just wanted osc to work for the newbie -- me -- that installs
from the official docs.)


--
Kind regards
    686f6c6d / Christopher 'm4z' Holm
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >