This series includes three patches that were posted a fairly long time ago. They are borderline between a feature request and a bug fix, but I'm classing them more bug fix, since they addressing issues with cert acceptance that we really should not have had.
The patches by Henry had outstanding comments from myself, and I've chosen to simply fix them in two followup commits of my own now to get this over the line. The patch from "matoro" was not accepted because they were contributed under a github alias. With our change to have a more relaxed interpretation of the DCO allowing any "known identity", we can now accept this patch. It had some conflicts with Henry's patch which I've fixed up. Then there is one other small bug fix and one improvement to use a newer gnutls API. Changed in v3: - Re-ordered patch for fixing error reporting to be near start of series, instead of end - Add unit test for validating error reporting with incomplete CA chains - Unit test to validate that an Error is filled on expected failures Changed in v2: - Update to latest upstream Daniel P. Berrangé (5): crypto: remove extraneous pointer usage in gnutls certs crypto: validate an error is reported in test expected fails crypto: fix error reporting in cert chain checks crypto: stop requiring "key encipherment" usage in x509 certs crypto: switch to newer gnutls API for distinguished name Henry Kleynhans (1): crypto: only verify CA certs in chain of trust matoro (1): crypto: allow client/server cert chains crypto/tlscredsx509.c | 223 +++++++++++++++----------- crypto/tlssession.c | 12 +- docs/system/tls.rst | 13 +- tests/unit/crypto-tls-x509-helpers.h | 6 +- tests/unit/test-crypto-tlscredsx509.c | 155 +++++++++++++++--- tests/unit/test-crypto-tlssession.c | 14 +- tests/unit/test-io-channel-tls.c | 4 +- 7 files changed, 280 insertions(+), 147 deletions(-) -- 2.50.1
