[Freeipa-devel] [PATCH 0288] certs: Fix incorrect flag handling in load_cacert
Tomas Babej
tbabej at redhat.com
Tue Dec 2 12:55:38 UTC 2014
On 12/02/2014 01:45 PM, Jan Cholasta wrote:
> Hi,
>
> Dne 2.12.2014 v 13:16 Tomas Babej napsal(a):
>> Hi,
>>
>> For CA certificates that are not certificates of IPA CA, we incorrectly
>> set the trust flags to ",,", regardless what the actual trust_flags
>> parameter was passed.
>>
>> Make the load_cacert method respect trust_flags and make "C,," default
>> set of trust flags.
>
> For unknown CA certificates, you must keep the default ",," and
> explicitly override it where necessary. We don't want to trust *any*
> CA certificate to issue server certs.
>
>>
>> https://fedorahosted.org/freeipa/ticket/4779
>
> Honza
Updated patch attached.
However, this boils down to the same, so there is really no functional
difference between the two versions of the patches in the current code
base. All places where load_cacert is called, the trust flags are
explicitly overriden.
--
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-tbabej-0288-2-certs-Fix-incorrect-flag-handling-in-load_cacert.patch
Type: text/x-patch
Size: 2530 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141202/0b693027/attachment.bin>
More information about the Freeipa-devel
mailing list