Opened 7 years ago
Closed 7 years ago
#10842 closed Patch (rejected)
|Reported by:||Tommy Wu||Owned by:|
|Component version:||3.18.0-rc1||Operating system type:|
|Operating system version:|
- for save trust certificate, depend on the current chosen certificate in chain, if not the first one, use certificate's CN as Host, and set Port to 0
- when we need to check the certificate is trusted or not, check all certificates in the chain, not just the first one, if someone is trusted, then trust this certificate.
Change History (2)
by , 7 years ago
comment:1 by , 7 years ago
|Status:||new → closed|
This patch is extremely insecure. It grants individual certificates ultimate trust for the subject to sign the entire Internet. While this may be desired in some exotic use-cases, there are a some issues with your patch:
- Hostname checks in leaf certificates are not currently implemented in FZ. Having them is a mandatory prerequisite for having CAs as trust anchors
- The patch would trust invalid chains, e.g. with expired child certificates
- The UI does not make it clear that a CA is being trusted (and the dangers involved in doing so) instead of a leaf certificate
- There is no UI to remove CA certificates
- There can be multiple CA certificates with the same CN, the code does not handle this case
Due to the complexities involved in securely handling trust delegation, any implementation of such functionality in FZ must use the trust list functionality from GnuTLS.
Note: See TracTickets for help on using tickets.
patch allow to save non-first certificate in chain, and IsTrust() will check all certificate in chain