[Freeipa-devel] [PATCH] 72 Fix uses of O=REALM instead of the configured certificate subject base
Jan Cholasta
jcholast at redhat.com
Tue Mar 27 11:09:58 UTC 2012
On 26.3.2012 22:17, Rob Crittenden wrote:
> Jan Cholasta wrote:
>> On 26.3.2012 16:15, Rob Crittenden wrote:
>>> Jan Cholasta wrote:
>>>> https://fedorahosted.org/freeipa/ticket/2521
>>>>
>>>> Honza
>>>
>>> You can still set a custom subject base for selfsign installations so
>>> you need a special case in valid_issuer().
>>
>> For selfsign installations, the issuer is always "CN=REALM Certificate
>> Authority", no matter what is set in the subject base, so no special
>> case is needed.
>>
>>> I wonder if this comparison
>>> should be case insensitive too.
>>
>> I think the DN class already takes care of this.
>>
>>>
>>> It may also be an optimization to cache the base in subject_base(). It
>>> can't change after install time so it should be valid the entire
>>> lifetime of the server.
>>
>> What if someone does
>>
>> $ ipa config-mod --setattr ipacertificatesubjectbase='O=Something'
>
> Ok, you're right about the issuer and DN case insensitivity, so we're
> good there. I think that caching is still a good idea.
>
> We'll handle the immutable subjectbase as a separate problem. This is
> really pretty minor and isn't a show stopper, you just have to revert it
> and things work again.
>
> rob
Updated patch attached. Added caching and fixed one more occurence of
O=REALM, in make-testcert.
Honza
--
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-72.1-certificate-subject-base.patch
Type: text/x-patch
Size: 7913 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120327/a61ea6a6/attachment.bin>
More information about the Freeipa-devel
mailing list