Dne 2.12.2014 v 14:09 Tomas Babej napsal(a):
On 12/02/2014 02:02 PM, Jan Cholasta wrote:
Dne 2.12.2014 v 13:55 Tomas Babej napsal(a):
On 12/02/2014 01:45 PM, Jan Cholasta wrote:
Dne 2.12.2014 v 13:16 Tomas Babej napsal(a):
For CA certificates that are not certificates of IPA CA, we
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.
Make the load_cacert method respect trust_flags and make "C,," default
set of trust flags.
For unknown CA certificates, you must keep the default ",," and
explicitly override it where necessary. We don't want to trust *any*
CA certificate to issue server certs.
Updated patch attached.
However, this boils down to the same, so there is really no functional
difference between the two versions of the patches in the current code
base. All places where load_cacert is called, the trust flags are
OK, then we don't need a default value at all.
Updated patch makes trust_flags a required argument of load_cacert.
Freeipa-devel mailing list