On 01/25/2012 04:38 PM, John Matthews wrote:
We have submitted a request to upstream M2Crypto asking that a patch be
accepted which will allow us to verify a certificate against a chain of CAs as
well as honor all CRLs which are available. Additionally we have filed a BZ
requesting that this patch be included in the Fedora version of M2Crypto. In
the meantime we will continue to carry a patched M2Crypto in the Pulp repos.
The heart of the patch is adding a "verify_cert" call to the X509_Store_Context. This
allows us to essentially perform the same certificate verification done by "openssl
verify".
Below is information relating to this:
Fedora Bug asking to apply patch submitted to upstream:
Bug 784616 - Patch to allow certificate verification against a chain of CAs and
a stack of CRLs
https://bugzilla.redhat.com/show_bug.cgi?id=784616
Upstream, M2Crypto bug:
https://bugzilla.osafoundation.org/show_bug.cgi?id=12954
As Mirek Trmač stated m2crypto upstream is dead. In long term the best
option is to use nss libs. E.g. urlgrabber already done this change.
--
Miroslav Suchy
Red Hat Satellite Engineering
_______________________________________________
Pulp-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/pulp-list
