Talk:Features/SharedSystemCertificates

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(Created page with "= Python = Python uses OpenSSL but will only use the system certificates if explicitly told so. The path to the ca cert bundle must either be hardcoded in the app or configur...")
 
 
(4 intermediate revisions by 4 users not shown)
Line 6: Line 6:
 
[[User:Kiilerix|Kiilerix]] ([[User talk:Kiilerix|talk]]) 23:53, 23 January 2013 (UTC)
 
[[User:Kiilerix|Kiilerix]] ([[User talk:Kiilerix|talk]]) 23:53, 23 January 2013 (UTC)
  
 +
python-requests-0.14.1-1.fc17.noarch also includes /usr/lib/python2.7/site-packages/requests/cacert.pem . They should use the existing cert in /etc/pki . The guidelines should be updated to make it clear that other ca stores than the shared ones isn't ok.
 +
[[User:Kiilerix|Kiilerix]] ([[User talk:Kiilerix|talk]]) 15:04, 26 January 2013 (UTC)
 +
 +
Following a discussion with Kiilerix on IRC, i have added a warning to rpmlint ( in git only for now ) to output a message when a certificate is bundled ( for whatever reasons ). We found a few package that should be fixed ( gajim, linphone, pidgin, etc , just by using yum whatprovides '*.pem' ( [[User:Misc|Misc]] )
 
----
 
----
 +
 +
== ldap ==
 +
 +
i applaud this effort. will it be possible to support storing the information in ldap (or ipa)?
 +
 +
It would certainly be possible to make a script that retrieves certificate information from LDAP and caches it on the local machine. But this is not an integral part of the feature at this point. [[User:Stefw|Stefw]] ([[User talk:Stefw|talk]]) 18:28, 10 April 2013 (UTC)
 +
 +
== Per-user overrides ==
 +
 +
For common non{root/daemon} use cases, it should IMHO be up to user whom to trust.  Is this view supported and can user e.g., blacklist certificates trusted on global level? [[User:Jpokorny|Jpokorny]] ([[User talk:Jpokorny|talk]]) 17:27, 10 April 2013 (UTC)
 +
 +
Although not in Fedora 19, I hope to make that work soon. [[User:Stefw|Stefw]] ([[User talk:Stefw|talk]]) 18:28, 10 April 2013 (UTC)

Latest revision as of 18:28, 10 April 2013

[edit] Python

Python uses OpenSSL but will only use the system certificates if explicitly told so. The path to the ca cert bundle must either be hardcoded in the app or configured. See for instance http://mercurial.selenic.com/wiki/CACertificates#Fedora.2FRHEL . That should be taken into consideration for this feature. But it is not obvious how.

The best and least intrusive solution might be to modify Python to always use the system certificates, especially when no certs has been specified. That is apparently what OS X do. Kiilerix (talk) 23:53, 23 January 2013 (UTC)

python-requests-0.14.1-1.fc17.noarch also includes /usr/lib/python2.7/site-packages/requests/cacert.pem . They should use the existing cert in /etc/pki . The guidelines should be updated to make it clear that other ca stores than the shared ones isn't ok. Kiilerix (talk) 15:04, 26 January 2013 (UTC)

Following a discussion with Kiilerix on IRC, i have added a warning to rpmlint ( in git only for now ) to output a message when a certificate is bundled ( for whatever reasons ). We found a few package that should be fixed ( gajim, linphone, pidgin, etc , just by using yum whatprovides '*.pem' ( Misc )


[edit] ldap

i applaud this effort. will it be possible to support storing the information in ldap (or ipa)?

It would certainly be possible to make a script that retrieves certificate information from LDAP and caches it on the local machine. But this is not an integral part of the feature at this point. Stefw (talk) 18:28, 10 April 2013 (UTC)

[edit] Per-user overrides

For common non{root/daemon} use cases, it should IMHO be up to user whom to trust. Is this view supported and can user e.g., blacklist certificates trusted on global level? Jpokorny (talk) 17:27, 10 April 2013 (UTC)

Although not in Fedora 19, I hope to make that work soon. Stefw (talk) 18:28, 10 April 2013 (UTC)