[Freeipa-devel] [PATCH 0288] certs: Fix incorrect flag handling in load_cacert
Jan Cholasta
jcholast at redhat.com
Tue Dec 2 13:02:06 UTC 2014
Dne 2.12.2014 v 13:55 Tomas Babej napsal(a):
>
> On 12/02/2014 01:45 PM, Jan Cholasta wrote:
>> Hi,
>>
>> Dne 2.12.2014 v 13:16 Tomas Babej napsal(a):
>>> Hi,
>>>
>>> For CA certificates that are not certificates of IPA CA, we incorrectly
>>> set the trust flags to ",,", regardless what the actual trust_flags
>>> parameter was passed.
>>>
>>> Make the load_cacert method respect trust_flags and make "C,," default
>>> set of trust flags.
>>
>> For unknown CA certificates, you must keep the default ",," and
>> explicitly override it where necessary. We don't want to trust *any*
>> CA certificate to issue server certs.
>>
>>>
>>> https://fedorahosted.org/freeipa/ticket/4779
>>
>> Honza
>
> Updated patch attached.
>
> However, this boils down to the same, so there is really no functional
> difference between the two versions of the patches in the current code
> base. All places where load_cacert is called, the trust flags are
> explicitly overriden.
>
OK, then we don't need a default value at all.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list