[Bug 246614] certctl(8) silently overwrites certs with same subjects
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sun Sep 13 02:18:18 UTC 2020
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246614
--- Comment #17 from commit-hook at FreeBSD.org ---
A commit references this bug:
Author: kevans
Date: Sun Sep 13 02:17:18 UTC 2020
New revision: 365683
URL: https://svnweb.freebsd.org/changeset/base/365683
Log:
MFS r365681: certctl: fix hashed link generation with duplicate subjects
Currently, certctl rehash will just keep clobbering .0 rather than
incrementing the suffix upon encountering a duplicate. Do this, and do it
for blacklisted certs as well.
This also improves the situation with the blacklist to be a little less
flakey, comparing cert fingerprints for all certs with a matching subject
hash in the blacklist to determine if the cert we're looking at can be
installed.
Future work needs to completely revamp the blacklist to align more with how
it's described in PR 246614. In particular, /etc/ssl/blacklisted should go
away to avoid potential confusion -- OpenSSL will not read it, it's
basically certctl internal.
PR: 246614
Approved by: re (gjb)
Changes:
_U releng/12.2/
releng/12.2/usr.sbin/certctl/certctl.sh
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the freebsd-bugs
mailing list