[Freeipa-devel] [PATCH 0288] certs: Fix incorrect flag handling in load_cacert
Jan Cholasta
jcholast at redhat.com
Tue Dec 2 14:45:31 UTC 2014
Dne 2.12.2014 v 14:09 Tomas Babej napsal(a):
>
> On 12/02/2014 02:02 PM, Jan Cholasta wrote:
>> Dne 2.12.2014 v 13:55 Tomas Babej napsal(a):
>>>
>>> On 12/02/2014 01:45 PM, Jan Cholasta wrote:
>>>> Hi,
>>>>
>>>> Dne 2.12.2014 v 13:16 Tomas Babej napsal(a):
>>>>> Hi,
>>>>>
>>>>> For CA certificates that are not certificates of IPA CA, we
>>>>> incorrectly
>>>>> set the trust flags to ",,", regardless what the actual trust_flags
>>>>> parameter was passed.
>>>>>
>>>>> Make the load_cacert method respect trust_flags and make "C,," default
>>>>> set of trust flags.
>>>>
>>>> For unknown CA certificates, you must keep the default ",," and
>>>> explicitly override it where necessary. We don't want to trust *any*
>>>> CA certificate to issue server certs.
>>>>
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/4779
>>>>
>>>> Honza
>>>
>>> Updated patch attached.
>>>
>>> However, this boils down to the same, so there is really no functional
>>> difference between the two versions of the patches in the current code
>>> base. All places where load_cacert is called, the trust flags are
>>> explicitly overriden.
>>>
>>
>> OK, then we don't need a default value at all.
>>
>
> Updated patch makes trust_flags a required argument of load_cacert.
>
Thanks, ACK!
Pushed to:
master: faec4ef9de431a1b72423be8ce6cea28a7221531
ipa-4-1: db4ac4774523c1d41a606b1c0297e9eeae13ebd6
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list