[pve-devel] Fix for chained certificates in pve-ssl.pem
Michael Rasmussen
mir at datanom.net
Wed May 29 16:52:58 CEST 2013
On Wed, 29 May 2013 14:22:36 +0000
Dietmar Maurer <dietmar at proxmox.com> wrote:
>
> Sure, because we need to signe the applet.
>
I know. It was just an indication to you that my patch is untested.
> > So I have attached a file containing what the patch should look like.
>
> + if (!ca_match && !pvecert.equals(certs[0])) {
>
>
> We still compare with certs[0] - maybe we should compare with all certs instead? Or
> is there a define order for those certs?
>
All the instructions I have read anywhere follows this algorithm:
specific -> general
So certs[0] should match but to be bullet proof maybe a comparison
should be made against the complete chain.
Untested:
int i;
boolean match = false;
if (ca_match) {
for (i = 0; i < certs.length; i++) {
if (pvecert.equals(certs[i]) {
match = true;
break;
}
}
if (! match)
throw new CertificateException("certificate does not match");
--
Hilsen/Regards
Michael Rasmussen
Get my public GnuPG keys:
michael <at> rasmussen <dot> cc
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E
mir <at> datanom <dot> net
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C
mir <at> miras <dot> org
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917
--------------------------------------------------------------
All bridge hands are equally likely, but some are more equally likely
than others.
-- Alan Truscott
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20130529/01a98d75/attachment.sig>
More information about the pve-devel
mailing list