[Bug 246614] certctl(8) silently overwrites certs with same subjects
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Aug 24 07:57:57 UTC 2020
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246614
--- Comment #6 from Michael Osipov <michael.osipov at siemens.com> ---
Went through the given diff, there are still issues with it:
* serial should be turned into decimal to avoid confusion
* create_blacklisted() is completely ill-designed for several reasons:
** When processing all links must be purged first
** Blacklisted certs should not be linked at all
** using <hash>.r<digit> is wrong because the r suffix is solely reserved for
CRLs. Look into c_rehash: elsif($hdr eq "X509 CRL") {$is_crl = 1;..}
BUT the rehashing does work:
> root at deblndw011x:/etc/ssl/certs
> # ll | grep 8dc03e53
> lrwxr-xr-x 1 root wheel 52 2020-08-24 09:54 8dc03e53.0@ -> ../../../usr/local/etc/ssl/certs/siemens-cert-14.crt
> lrwxr-xr-x 1 root wheel 52 2020-08-24 09:54 8dc03e53.1@ -> ../../../usr/local/etc/ssl/certs/siemens-cert-15.crt
> root at deblndw011x:/etc/ssl/certs
> # certctl list | grep "Siemens Internet CA V1.0"
> 8dc03e53.0 Siemens Internet CA V1.0
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the freebsd-bugs
mailing list