[one-users] Sunstone noVNC with WSS support

Valentin Bud valentin.bud at gmail.com
Sat Mar 8 23:53:59 PST 2014 

Hi Wilma,



On Fri, Mar 7, 2014 at 7:40 PM, Wilma Hermann <wilma.hermann at gmail.com>wrote:

> Hi Valentin,
>
> > Last time I checked, my CA looked pretty real to me
> Admittedly, "real" might have been the wrong word. Probably "common"
> would have better described what I meant.
>
> > And why is that? Is Verisign's random number generator better than yours?
> No, but their root certificate is shipped with every common browser
> out there, even on mobile devices.
>

You are right. And so we put our trust in them.


>
> > None of the RFCs I've read about PKI don't tell me that I SHOULD NOT use
> > self signed certs for production environments.
> Fair enough, that's true. And when you have an environment where you
> can ensure that all users have your root certificate installed, then
> there's no downside of a private CA-infrastructure. But from ML's
> comments I assumed that this particular OpenNebula installation is to
> be opened to the public (or at least an audience where ML cannot make
> sure that the root certificate is trusted by default).
> If that assumption holds and you're not willing to spend a few dollars
> for an uninterrupted user-experience, then I question your business
> model...
>

I totally agree with you about the user experience and for it is worth
investing
a few dollars. I guess I am just frustrated that TLS fails to provide peer
to peer
trust.


Greetings,
Valentin


> Greetings
> Wilma
>
>
> 2014-03-07 17:37 GMT+01:00 Valentin Bud <valentin.bud at gmail.com>:
> >
> > Hello Wilma,
> >
> > On Thu, Feb 6, 2014 at 6:20 PM, Wilma Hermann <wilma.hermann at gmail.com>
> wrote:
> >>
> >> There is a really easy fix for that: Get a real certificate from a real
> CA. You should not use self-signed certs for a production environment.
> >
> >
> > And why is that? Is Verisign's random number generator better than yours?
> > A real certificate from a real CA? I don't get that. Last time I
> checked, my CA
> > looked pretty real to me, conforming with RFC 5280. And the certificates
> from the
> > browser and VPNs issued by that CA are also real.
> >
> > None of the RFCs I've read about PKI don't tell me that I SHOULD NOT use
> > self signed certs for production environments.
> >
> > Your business's image could suffer from a self signed cert but that's
> another
> > story. Technology is technology and it should work either way, be it
> self signed
> > or not.
> >
> > Best,
> > Valentin
> >
> >>
> >> Greetings
> >> Wilma
> >>
> >>
> >> 2014-02-06 ML mail <mlnospam at yahoo.com>:
> >>
> >>> This workaround fixes that problem yes but it is not a good workaround
> especially if you want to offer opennebula to real customers. I hope
> another better alternative can be found in the future but I am aware that
> this is mostly a browser problem :|
> >>>
> >>> Regards
> >>> ML
> >>>
> >>>
> >>>
> >>> On Thursday, February 6, 2014 10:56 AM, Daniel Molina <
> dmolina at opennebula.org> wrote:
> >>> Hi,
> >>>
> >>>
> >>> On 5 February 2014 16:58, ML mail <mlnospam at yahoo.com> wrote:
> >>>
> >>> Hello,
> >>>
> >>> I would like to use noVNC in Sunstone over an encrypted channel (WSS).
> Therefore I have generated my own SSL key and certificate which I have
> added to the sunstone-server.conf configuration. The problem is that this
> does not work, when I start VNC from the Sunstone web interface I get the
> following error message in novnc.log:
> >>>
> >>> SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> >>>
> >>> Does this mean I need an official SSL certificate?
> >>>
> >>>
> >>> Please, check if the solution proposed in this thread, fixes your
> problem
> >>>
> http://lists.opennebula.org/pipermail/users-opennebula.org/2014-February/026405.html
> >>>
> >>> Cheers
> >>>
> >>>
> >>>
> >>> Regards
> >>>
> >>> ML
> >>>
> >>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.opennebula.org
> >>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> --
> >>> Daniel Molina
> >>> Project Engineer
> >>> OpenNebula - Flexible Enterprise Cloud Made Simple
> >>> www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.opennebula.org
> >>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
> >>>
> >>
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.opennebula.org
> >> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
> >>
> >
> >
> >
> > --
> > Valentin Bud
> > http://databus.pro | valentin at databus.pro
>



-- 
Valentin Bud
http://databus.pro | valentin at databus.pro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20140309/d2bd5e61/attachment-0001.htm>

More information about the Users mailing list