[pve-devel] Fix for chained certificates in pve-ssl.pem

Michael Rasmussen mir at datanom.net
Wed May 29 16:52:58 CEST 2013


On Wed, 29 May 2013 14:22:36 +0000
Dietmar Maurer <dietmar at proxmox.com> wrote:

> 
> Sure, because we need to signe the applet.
>  
I know. It was just an indication to you that my patch is untested.

> > So I have attached a file containing what the patch should look like.
> 
> +	    if (!ca_match && !pvecert.equals(certs[0])) {
> 
> 
> We still compare with certs[0] - maybe we should compare with all certs instead? Or
> is there a define order for those certs?
> 
All the instructions I have read anywhere follows this algorithm:
specific -> general
So certs[0] should match but to be bullet proof maybe a comparison
should be made against the complete chain.

Untested:
int i;
boolean match = false;
if (ca_match) {
    for (i = 0; i < certs.length; i++) {
        if (pvecert.equals(certs[i]) {
            match = true;
            break;
        }
}

if (! match)
    throw new CertificateException("certificate does not match");


-- 
Hilsen/Regards
Michael Rasmussen

Get my public GnuPG keys:
michael <at> rasmussen <dot> cc
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E
mir <at> datanom <dot> net
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C
mir <at> miras <dot> org
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917
--------------------------------------------------------------
All bridge hands are equally likely, but some are more equally likely
than others.
		-- Alan Truscott
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20130529/01a98d75/attachment.sig>


More information about the pve-devel mailing list