[Zope3-dev] Re: Why do we distribute SSL server keys and certs?
Tres Seaver
tseaver at palladion.com
Sat Oct 14 23:56:24 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jim Fulton wrote:
>
> I'll probably reveal my ignorance of SSL here, but it is worrisome to me
> that we distribute a PEM file that contains a default server key and
> certificate. This seems like an exceedingly bad idea.
It is.
> We also distribute a private key to be used for sftp. (Shouldn't there
> be a corresponding public key?) This seems like a very bad idea too.
Keys should be generated inside 'mkzopeinstance.py', never shipped. We
should probably add scripts for (re)doing the generation, as well.
> The good news is that neither are these are enabled by default, however,
> there are commented examples in the configuration file with comments
> blithely telling people to uncomment them to get HTTPS or SFTP support,
> using public "private" keys.
>
> Am I missing something?
I don't think so. I didn't realize that we were shipping them at all.
Are the shipped certs part of Twisted? In that case, we need to report
this as an upstream bug.
> BTW, are there tests of the HTTPS and SFTP support?
No se. Remove the code and see what breaks ;).
Tres.
- --
===================================================================
Tres Seaver +1 202-558-7113 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFMbFo+gerLs4ltQ4RAhWDAJ9fEynyLnvY3OJjaWIyrzf9AVliBQCfatGh
n802vxTRnPwfpG9W+2AHI48=
=1OnO
-----END PGP SIGNATURE-----
More information about the Zope3-dev
mailing list