Am 30.06.23 um 15:31 schrieb Maximilian Fillinger:
The grammar in the 3rd sentence in the comment below is messed up. (I think I
understand it, but I'm not sure.)
+ if (session->opt->verify_hash_no_ca)
+ {
+ /*
+ * If we decide to verify the peer certificate based on the fingerprint
+ * we ignore wrong dates and the certificate not being trusted.
+ * Any other problem with the certificate (wrong key, bad cert,...)
+ * will still trigger an error.
+ * Clearing these flags relies on verify_cert will later rejecting a
+ * certificate that has no matching fingerprint.
+ */
+ uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED
+ | MBEDTLS_X509_BADCERT_EXPIRED
+ | MBEDTLS_X509_BADCERT_FUTURE;
+ *flags = *flags & ~flags_ignore;
+ }
+
Also, this comment is copied verbatim from Jason's commit 423ced962d which has
been reverted. I'm not a lawyer, but since comments are relatively easy to
rephrase, I think it's better to do that. My suggestion:
The comment is already mine. Jason never included an mBed TLS
implementation. I attributed the commit to Jason but some of the code
and this comment is already written by me.
Arne
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel