[Pulp-list] M2Crypto patch submitted upstream for cert verification against a chain of CAs and CRL support
John Matthews
jmatthew at redhat.com
Wed Jan 25 15:38:13 UTC 2012
We have submitted a request to upstream M2Crypto asking that a patch be accepted which will allow us to verify a certificate against a chain of CAs as well as honor all CRLs which are available. Additionally we have filed a BZ requesting that this patch be included in the Fedora version of M2Crypto. In the meantime we will continue to carry a patched M2Crypto in the Pulp repos.
The heart of the patch is adding a "verify_cert" call to the X509_Store_Context. This allows us to essentially perform the same certificate verification done by "openssl verify".
Below is information relating to this:
Fedora Bug asking to apply patch submitted to upstream:
Bug 784616 - Patch to allow certificate verification against a chain of CAs and a stack of CRLs
https://bugzilla.redhat.com/show_bug.cgi?id=784616
Upstream, M2Crypto bug:
https://bugzilla.osafoundation.org/show_bug.cgi?id=12954
Pulp Wiki Pages:
https://fedorahosted.org/pulp/wiki/CertChainVerification
https://fedorahosted.org/pulp/wiki/CertRevocationList
For those interested in seeing some examples, we have sample scripts and code in our 'playpen' directory in git.
http://git.fedorahosted.org/git/?p=pulp.git;a=tree;f=playpen/certs/chain_example;hb=HEAD
More information about the Pulp-list
mailing list