Dne 2.12.2014 v 14:09 Tomas Babej napsal(a):

On 12/02/2014 02:02 PM, Jan Cholasta wrote:
Dne 2.12.2014 v 13:55 Tomas Babej napsal(a):

On 12/02/2014 01:45 PM, Jan Cholasta wrote:
Hi,

Dne 2.12.2014 v 13:16 Tomas Babej napsal(a):
Hi,

For CA certificates that are not certificates of IPA CA, we
incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.

Make the load_cacert method respect trust_flags and make "C,," default
set of trust flags.

For unknown CA certificates, you must keep the default ",," and
explicitly override it where necessary. We don't want to trust *any*
CA certificate to issue server certs.


https://fedorahosted.org/freeipa/ticket/4779

Honza

Updated patch attached.

However, this boils down to the same, so there is really no functional
difference between the two versions of the patches in the current code
base. All places where load_cacert is called, the trust flags are
explicitly overriden.


OK, then we don't need a default value at all.


Updated patch makes trust_flags a required argument of load_cacert.


Thanks, ACK!

Pushed to:
master: faec4ef9de431a1b72423be8ce6cea28a7221531
ipa-4-1: db4ac4774523c1d41a606b1c0297e9eeae13ebd6

Honza

--
Jan Cholasta

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to