[Freeipa-devel] [PATCH 0288] certs: Fix incorrect flag handling in load_cacert
Tomas Babej
tbabej at redhat.com
Tue Dec 2 13:09:15 UTC 2014
On 12/02/2014 02:02 PM, Jan Cholasta wrote:
> Dne 2.12.2014 v 13:55 Tomas Babej napsal(a):
>>
>> On 12/02/2014 01:45 PM, Jan Cholasta wrote:
>>> Hi,
>>>
>>> Dne 2.12.2014 v 13:16 Tomas Babej napsal(a):
>>>> Hi,
>>>>
>>>> For CA certificates that are not certificates of IPA CA, we
>>>> incorrectly
>>>> set the trust flags to ",,", regardless what the actual trust_flags
>>>> parameter was passed.
>>>>
>>>> Make the load_cacert method respect trust_flags and make "C,," default
>>>> set of trust flags.
>>>
>>> For unknown CA certificates, you must keep the default ",," and
>>> explicitly override it where necessary. We don't want to trust *any*
>>> CA certificate to issue server certs.
>>>
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/4779
>>>
>>> Honza
>>
>> Updated patch attached.
>>
>> However, this boils down to the same, so there is really no functional
>> difference between the two versions of the patches in the current code
>> base. All places where load_cacert is called, the trust flags are
>> explicitly overriden.
>>
>
> OK, then we don't need a default value at all.
>
Updated patch makes trust_flags a required argument of load_cacert.
--
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-tbabej-0288-3-certs-Fix-incorrect-flag-handling-in-load_cacert.patch
Type: text/x-patch
Size: 2483 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141202/7881a092/attachment.bin>
More information about the Freeipa-devel
mailing list