The grammar in the 3rd sentence in the comment below is messed up. (I think I
understand it, but I'm not sure.)
> + if (session->opt->verify_hash_no_ca)
> + {
> + /*
> + * If we decide to verify the peer certificate based on the
> fingerprint
> + * we ignore wrong dates and the certificate not being trusted.
> + * Any other problem with the certificate (wrong key, bad cert,...)
> + * will still trigger an error.
> + * Clearing these flags relies on verify_cert will later rejecting a
> + * certificate that has no matching fingerprint.
> + */
> + uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED
> + | MBEDTLS_X509_BADCERT_EXPIRED
> + | MBEDTLS_X509_BADCERT_FUTURE;
> + *flags = *flags & ~flags_ignore;
> + }
> +
Also, this comment is copied verbatim from Jason's commit 423ced962d which has
been reverted. I'm not a lawyer, but since comments are relatively easy to
rephrase, I think it's better to do that. My suggestion:
/*
* If we verify the peer certificate based only on the fingerprint,
* we ignore flags regarding the certificate's validity period and
* the certificate being untrusted (because we don't have a CA to
* check against).
* Any other flags will still trigger an error.
*
* If the certificate's fingerprint doesn't match, it will be rejected
* by verify_cert later.
*/
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
