[Pulp-list] M2Crypto patch submitted upstream for cert verification against a chain of CAs and CRL support
Miroslav Suchý
msuchy at redhat.com
Thu Jan 26 15:08:21 UTC 2012
On 01/25/2012 04:38 PM, John Matthews wrote:
> We have submitted a request to upstream M2Crypto asking that a patch be accepted which will allow us to verify a certificate against a chain of CAs as well as honor all CRLs which are available. Additionally we have filed a BZ requesting that this patch be included in the Fedora version of M2Crypto. In the meantime we will continue to carry a patched M2Crypto in the Pulp repos.
>
> The heart of the patch is adding a "verify_cert" call to the X509_Store_Context. This allows us to essentially perform the same certificate verification done by "openssl verify".
>
> Below is information relating to this:
>
> Fedora Bug asking to apply patch submitted to upstream:
> Bug 784616 - Patch to allow certificate verification against a chain of CAs and a stack of CRLs
> https://bugzilla.redhat.com/show_bug.cgi?id=784616
>
> Upstream, M2Crypto bug:
> https://bugzilla.osafoundation.org/show_bug.cgi?id=12954
As Mirek Trmač stated m2crypto upstream is dead. In long term the best
option is to use nss libs. E.g. urlgrabber already done this change.
--
Miroslav Suchy
Red Hat Satellite Engineering
More information about the Pulp-list
mailing list