Am 30.06.23 um 15:31 schrieb Maximilian Fillinger:
The grammar in the 3rd sentence in the comment below is messed up. (I think I understand it, but I'm not sure.)+ if (session->opt->verify_hash_no_ca) + { + /* + * If we decide to verify the peer certificate based on the fingerprint + * we ignore wrong dates and the certificate not being trusted. + * Any other problem with the certificate (wrong key, bad cert,...) + * will still trigger an error. + * Clearing these flags relies on verify_cert will later rejecting a + * certificate that has no matching fingerprint. + */ + uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED + | MBEDTLS_X509_BADCERT_EXPIRED + | MBEDTLS_X509_BADCERT_FUTURE; + *flags = *flags & ~flags_ignore; + } +Also, this comment is copied verbatim from Jason's commit 423ced962d which has been reverted. I'm not a lawyer, but since comments are relatively easy to rephrase, I think it's better to do that. My suggestion:
The comment is already mine. Jason never included an mBed TLS implementation. I attributed the commit to Jason but some of the code and this comment is already written by me.
Arne _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
