[pve-devel] applied: Something missing in http://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer) ?

Fabian Grünbichler f.gruenbichler at proxmox.com
Wed Nov 23 08:41:46 CET 2016


On Tue, Nov 22, 2016 at 02:38:45PM +0100, Fabian Grünbichler wrote:
> ...
> -- >8 --
> 
> Subject: [PATCH manager] fix SSL verify callback for certificate chains
> 
> ignoring parts of the chain means saying they are verified,
> because the verify callback results are chained together
> starting with the highest depth.
> ---
>  PVE/HTTPServer.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
> index db1faae..3460050 100755
> --- a/PVE/HTTPServer.pm
> +++ b/PVE/HTTPServer.pm
> @@ -700,7 +700,7 @@ sub proxy_request {
>             verify_cb => sub {
>                 my (undef, undef, undef, $depth, undef, undef, $cert) = @_;
>                 # we don't care about intermediate or root certificates
> -               return 0 if $depth != 0;
> +               return 1 if $depth != 0;
>                 # check server certificate against cache of pinned FPs
>                 return check_cert_fingerprint($cert);
>             },
> -- 
> 2.1.4
> 

applied. thanks Stefan Priebe for reporting the issue and catching this
so early!




More information about the pve-devel mailing list