| To: | Ken McDonell <kenj@xxxxxxxxxxxxxxxx> |
|---|---|
| Subject: | Re: [pcp] Secure sockets - unnecessary client certificate initialization issue |
| From: | Nathan Scott <nathans@xxxxxxxxxx> |
| Date: | Tue, 16 Apr 2013 05:43:28 -0400 (EDT) |
| Cc: | PCP Mailing List <pcp@xxxxxxxxxxx> |
| Delivered-to: | pcp@xxxxxxxxxxx |
| In-reply-to: | <516CFCA4.4090202@xxxxxxxxxxxxxxxx> |
| References: | <516CFCA4.4090202@xxxxxxxxxxxxxxxx> |
| Reply-to: | Nathan Scott <nathans@xxxxxxxxxx> |
| Thread-index: | L0M5PgAh5+AWlFM7efXjxk21ABmC0Q== |
| Thread-topic: | Secure sockets - unnecessary client certificate initialization issue |
----- Original Message ----- > The current code tries to load certificates for any client even those > that have no interest in using secure sockets. > > This causes an empty $HOME/.pki/nssdb to be created, which is at the > root of my earlier "security" issue. > This one seems fairly benign at least. > We should not be doing anything on the client side unless > $PCP_SECURE_SOCKETS is set to something interesting in the environment. Or a context is explictly created with the context flag ... its not as simple as just checking an env var, its possible to create secure and non-secure contexts from within a single tool (pmchart). So, we can take load_certificate_database() out of the __pmConnectPMCD one-trip guard and add separate global state for this I guess. cheers. -- Nathan |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [pcp] Secure sockets - sql method issue, Nathan Scott |
|---|---|
| Next by Date: | Re: [pcp] Secure sockets - failure with manual client certificate installation issue, Nathan Scott |
| Previous by Thread: | Secure sockets - unnecessary client certificate initialization issue, Ken McDonell |
| Next by Thread: | Secure sockets - failure with manual client certificate installation issue, Ken McDonell |
| Indexes: | [Date] [Thread] [Top] [All Lists] |