Hi, On Mon, Mar 12, 2018 at 4:21 AM, Gert Doering <g...@greenie.muc.de> wrote: > > Hi Selva, > > On Sun, Mar 11, 2018 at 09:17:58PM -0400, selva.n...@gmail.com wrote: > > From: Selva Nair <selva.n...@gmail.com> > > > > Have the cryptoapicert option find the first matching certificate > > in store that is valid at the present time. Currently the first > > found item, even if expired, is returned. > > Are these two intended for master only or master+2.4? > > (I admit that I am too lazy right now to go and actually look at the > surrounding code :-) - but with all the recent work wrt cryptoapi and > external management key, I lost track which bits are considered "new > goodies for master only") > > Functionality-wise this makes sense (feature-ACK), and it also makes > sense for 2.4 - because "if there are two certificates, an expired and > a valid one, and we take the expired one" smells very much like a bug > to me :-)
Agree, this could qualify for 2.4. Anyway, the context is the same and it applies/cherry-picks to 2.4 without issues. Elsewhere in the code we only warn about expired certs (like those read from a file) and continue with the connection to eventually end up with the unhelpful "TLS key negotiation failed to complete. Check your network..." error [*]. In that sense this is a regression. IMO, the client should error out on invalid certs from other sources as well. Selva ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel