Re: Problem with clients authentication to the server


Chronological Thread 
  • From: Daniel DeLeo <devnullian@gmail.com>
  • To: chef@lists.opscode.com
  • Subject: Re: Problem with clients authentication to the server
  • Date: Tue, 2 Jun 2009 16:04:13 -0600
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=VOfZRhbBnD44WDJk/u9aSJKAyajYkCKbrnCXAdI4gx+Xs6MaEvim+uJawa4on7HYKx sTvPa59xiBYnXJkSzg6Kkjp47ycWGC3SfVZEuA1hKcWjhhw1/aqrWE4n/DLjO5xTY2CD 1sCl34MXBXhbYEcDlQlLo1z6UVFt4cslTm17g=



On Tue, Jun 2, 2009 at 9:51 AM, Adam Jacob <adam@opscode.com> wrote:
We'll file a bug and update the install process.  Thanks, Albert!

Adam

On Tue, Jun 2, 2009 at 1:39 AM, Albert Llop <mrsimo@gmail.com> wrote:

> It'd be wonderful if this kind of error receives the proper notification
> somehow, maybe on the cert generation step? You shouldn't let anyone
> generate a cert with a CN that doesn't look like a domain.

Other responses that could be helpful:
* Unless there are use-cases for server_fqdn != cert CN, error out if they don't match. Maybe a big fat warning would be more appropriate than erroring out.
* Do some magic and fill in the cert CN with the value from server_fqdn under the right conditions (like CN=server_fqdn)
* rescue the "name does not match" error and re-raise it with a more useful message. I was confused  by the 400/bad request response (I now suspect that happened internally on the server and the response actually returned to the client was 500, but confusing nonetheless) which at first glance seemed to imply the client was in the wrong. I also spent some time wondering "name does not match WHAT, EXACTLY?"

Again, I'm new here, so I don't know if these are good ideas, they're just what first came to my mind as solutions.

Thanks,
Dan




Archive powered by MHonArc 2.6.16.

§