[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pulp-list] M2Crypto patch submitted upstream for cert verification against a chain of CAs and CRL support



On 01/25/2012 04:38 PM, John Matthews wrote:
We have submitted a request to upstream M2Crypto asking that a patch be accepted which will allow us to verify a certificate against a chain of CAs as well as honor all CRLs which are available.  Additionally we have filed a BZ requesting that this patch be included in the Fedora version of M2Crypto.  In the meantime we will continue to carry a patched M2Crypto in the Pulp repos.

The heart of the patch is adding a "verify_cert" call to the X509_Store_Context.  This allows us to essentially perform the same certificate verification done by "openssl verify".

Below is information relating to this:

Fedora Bug asking to apply patch submitted to upstream:
Bug 784616 - Patch to allow certificate verification against a chain of CAs and a stack of CRLs
https://bugzilla.redhat.com/show_bug.cgi?id=784616

Upstream, M2Crypto bug:
https://bugzilla.osafoundation.org/show_bug.cgi?id=12954

As Mirek Trmač stated m2crypto upstream is dead. In long term the best option is to use nss libs. E.g. urlgrabber already done this change.


--
Miroslav Suchy
Red Hat Satellite Engineering


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]