We have submitted a request to upstream M2Crypto asking that a patch be accepted which will allow us to verify a certificate against a chain of CAs as well as honor all CRLs which are available. Additionally we have filed a BZ requesting that this patch be included in the Fedora version of M2Crypto. In the meantime we will continue to carry a patched M2Crypto in the Pulp repos.
The heart of the patch is adding a "verify_cert" call to the X509_Store_Context. This allows us to essentially perform the same certificate verification done by "openssl verify". Below is information relating to this: Fedora Bug asking to apply patch submitted to upstream: Bug 784616 - Patch to allow certificate verification against a chain of CAs and a stack of CRLs https://bugzilla.redhat.com/show_bug.cgi?id=784616 Upstream, M2Crypto bug: https://bugzilla.osafoundation.org/show_bug.cgi?id=12954 Pulp Wiki Pages: https://fedorahosted.org/pulp/wiki/CertChainVerification https://fedorahosted.org/pulp/wiki/CertRevocationList For those interested in seeing some examples, we have sample scripts and code in our 'playpen' directory in git. http://git.fedorahosted.org/git/?p=pulp.git;a=tree;f=playpen/certs/chain_example;hb=HEAD _______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
