Dne 2.12.2014 v 13:55 Tomas Babej napsal(a):
On 12/02/2014 01:45 PM, Jan Cholasta wrote:
Hi,
Dne 2.12.2014 v 13:16 Tomas Babej napsal(a):
Hi,
For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.
Make the load_cacert method respect trust_flags and make "C,," default
set of trust flags.
For unknown CA certificates, you must keep the default ",," and
explicitly override it where necessary. We don't want to trust *any*
CA certificate to issue server certs.
https://fedorahosted.org/freeipa/ticket/4779
Honza
Updated patch attached.
However, this boils down to the same, so there is really no functional
difference between the two versions of the patches in the current code
base. All places where load_cacert is called, the trust flags are
explicitly overriden.
OK, then we don't need a default value at all.
--
Jan Cholasta
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
