Simone Tiraboschi has posted comments on this change. Change subject: packaging: setup: WebSocketProxy on a separate host ......................................................................
Patch Set 11: (1 comment) http://gerrit.ovirt.org/#/c/28534/11/packaging/setup/plugins/ovirt-engine-setup/websocket_proxy/config.py File packaging/setup/plugins/ovirt-engine-setup/websocket_proxy/config.py: Line 203: "websocket-proxy-standalone.p12\n" Line 204: "from the engine host to this host at " Line 205: "{wsp_store}\n" Line 206: "And copy /etc/pki/ovirt-engine/certs/engine.cer\n" Line 207: "from the engine host to this host at " > probably pki-resource is better: Ok, so I'm getting a cert to trust the engine server, but I'm getting it from the same server that I'm still need to trust. The connection should be secure cause it's https, but I'm still not trusting nor the remote apache server nor the CA cause if it's a separate host, my host still doesn't know anything about it. So I fear the we need to trust everything on blind, but in that case we are just adding complexity but not security: if we are really on a separate host and the second host still doesn't trust the CA (also just because it can be a private CA and not a public trusted one) that signed that cert, on my opinion it's better to have the user manually deploy the first server cert trusting it than to trust everything on blind. Line 208: "{engine_cer}\n" Line 209: "\n" Line 210: "Than, at last, on this host:\n" Line 211: "openssl pkcs12 -in {wsp_store} -nokeys -out {wsp_cert}\n" -- To view, visit http://gerrit.ovirt.org/28534 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ifceddd5aa44a77f67a3b6b30c6678d9a3b485f9c Gerrit-PatchSet: 11 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Simone Tiraboschi <stira...@redhat.com> Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com> Gerrit-Reviewer: Doron Fediuck <dfedi...@redhat.com> Gerrit-Reviewer: Itamar Heim <ih...@redhat.com> Gerrit-Reviewer: Sandro Bonazzola <sbona...@redhat.com> Gerrit-Reviewer: Simone Tiraboschi <stira...@redhat.com> Gerrit-Reviewer: Yedidyah Bar David <d...@redhat.com> Gerrit-Reviewer: automat...@ovirt.org Gerrit-Reviewer: oVirt Jenkins CI Server Gerrit-HasComments: Yes _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
