[cvsnt] Setting up shared repositories
Gerhard Fiedler
lists at connectionbrazil.com
Wed Aug 15 19:38:41 BST 2007
Michael Wojcik wrote:
>> From what I read about this, sserver is pserver over SSL.
>> AFAIK SSL works like this (simplified):
>>
>> - Client requests a connection, telling what ciphers it supports
>> - Server uses best cipher it also supports and sends cert,
>> usually containing a public key and a CA (if no CA, the cert
>> has to be trusted on the client)
>
> Not really.
Thanks for the clarifications.
> First, a CA (Certification Authority) is an organization, not a document;
> you can't "send a CA".
Of course not... :) What I meant with "send a CA" was "send the
information that allows the receiver to contact a commonly trusted CA and
verify the certificate" (like someone may ask me to "give [her] my email"
:).
So in the end, it seems still to boil down to that a cert has either to be
trusted on the client, or be signed by a CA that's trusted on the client.
And you seem to say that by installing the cvsnt client, the certificate
that comes with it is automatically trusted (by the cvsnt client), right?
> If you want real security, with authentication, you replace that
> self-signed certificate with a proper CA-signed one, and make sure the
> client has the appropriate root certificate available, and configure the
> client to require a properly-signed server certificate.
Or you use your own self-signed certificate, and make sure it's registered
as trusted on all clients.
Gerhard
More information about the cvsnt
mailing list