Hi, after talking with Marius: The last sentence in his mail concerning the progress suffers from poor translation, and can safely be ignored ;-)
We didn't intend to push anybody. VlG-(Marius Timmer &) Arne Scheffer On 25.10.18 15:08, Marius Timmer wrote:
Dear hackers, We (Julian and I) would like to show you the seventh version of this patch which includes all the things mentioned before. Unfortunately we did not find the time to do this earlier. On 07/19/2018 03:00 AM, Thomas Munro wrote:you could just have one common code path to reach CheckCertAuth() for all auth methods after that switch statement, instead of the more complicated conditional coding you have now with two ways to reach it.There is only one path now to call CheckCertAuth(). I don't think we have left too many complicated conditions.That would result in a couple less LOC and a bit clearer conditionals, I agree. If there are no objections to make uaCert a quasi-alias of uaTrust with clientcert=verify-full, I'll go ahead and change the code accordingly.uaCert and uaTrust are handled the same within the switch statement.I'll make sure that the error messages are still handled based on the auth method and not only depending on the clientcert flag.As far as I know we already handled the error message based on the auth method and clientcert flag. On 07/30/2018 12:20, Julian Markwort wrote:I'm open for suggestions, but in absence of objections I might just capitalize all occurrences of CN.We decided to stick with the old style for now. So we changed all occurrences of cn to lower case.Yes, we should adopt the new style in all places. I'll rewrite that passage to indicate that cert authentication essentially results in the same behavior as clientcert=verify-full. The existing text is somewhat ambiguous anyway, in case somebody decides to skip over the restriction described in the second sentence.We fixed that. Additionally we added the alias "no-verify" for clientcert=0 since it seems to be a good idea to have aliases for all three available values.What do you think about using clientCertCA for the enumerator name instead of clientCertOn? That would correspond better to the names "verify-ca" and "verify-full".+1 I'm not sure if Magnus had any other cases in mind when he named it clientCertOn?We agree that clientCertCA is a better name for it. Since Magnus does not seem to have any concerns about it we changed that as well. Julian and I think the time has come for this patch to make some progress. After a few months I think there is not that much to discuss anymore. Kind regards, Marius Timmer
-- Arne Scheffer Webanwendungen Beratung und Service (mit R. Mersch) Westfälische Wilhelms-Universität Münster (WWU) Zentrum für Informationsverarbeitung (ZIV) Röntgenstraße 7-13 Besucheradresse: Einsteinstraße 60, Raum 104 48149 Münster +49 251 83 31581 arne.schef...@uni-muenster.de https://www.uni-muenster.de/ZIV
smime.p7s
Description: S/MIME Cryptographic Signature