Date: Sun, 13 Sep 2020 01:10:02 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 246614] certctl(8) silently overwrites certs with same subjects Message-ID: <bug-246614-227-gTKsTZwxx0@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-246614-227@https.bugs.freebsd.org/bugzilla/> References: <bug-246614-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246614 --- Comment #16 from commit-hook@FreeBSD.org --- A commit references this bug: Author: kevans Date: Sun Sep 13 01:09:23 UTC 2020 New revision: 365681 URL: https://svnweb.freebsd.org/changeset/base/365681 Log: MFC r365500: certctl: fix hashed link generation with duplicate subjects Currently, certctl rehash will just keep clobbering .0 rather than incrementing the suffix upon encountering a duplicate. Do this, and do it for blacklisted certs as well. This also improves the situation with the blacklist to be a little less flakey, comparing cert fingerprints for all certs with a matching subject hash in the blacklist to determine if the cert we're looking at can be installed. Future work needs to completely revamp the blacklist to align more with how it's described in PR 246614. In particular, /etc/ssl/blacklisted should go away to avoid potential confusion -- OpenSSL will not read it, it's basically certctl internal. PR: 246614 Changes: _U stable/11/ stable/11/usr.sbin/certctl/certctl.sh _U stable/12/ stable/12/usr.sbin/certctl/certctl.sh -- You are receiving this mail because: You are on the CC list for the bug.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-246614-227-gTKsTZwxx0>