On Tuesday, February 7, 2012, Peter Eisentraut wrote: > On tis, 2012-01-24 at 22:05 +0200, Peter Eisentraut wrote: > > > > One thing that is perhaps worth thinking about: Currently, we just > > > > ignore missing root.crt and root.crl files. With this patch, we > still > > > > do this, even if the user has given a specific nondefault location. > > > > That seems a bit odd, but I can't think of a simple way to do it > better. > > > > > > There's a review in the CF app for this finding only minor issues, so > > > I'm marking this patch therein as "Ready for Committer". > > > > OK, no one had any concerns about the missing file behavior I > > described above? If not, then I'll commit it soon. > > I'm still worried about this. If we ignore a missing root.crt, then the > effect is that authentication and certificate verification might fail, > which would be annoying, but you'd notice it soon enough. But if we > ignore a missing root.crl, we are creating a security hole. >
Yes, ignoring a missing file in a security context is definitely not good. It should throw an error. We have a few bad defaults from the old days around SSL for this, but if it requires breaking backwards compatibility to get it right, I think we should still do it. My best idea at the moment is that we should set these parameters to > empty by default, and make users point them to existing files if they > want to use that functionality. Comments? > +1. Anybody who actually cares about setting up security is likely not going to rely on defaults anyway - and is certainly going to review whatever they are. So there should be no big problem there. //Magnus -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/