On Tuesday, February 7, 2012, Peter Eisentraut wrote:
On tis, 2012-01-24 at 22:05 +0200, Peter Eisentraut wrote:
> > > One thing that is perhaps worth thinking about: Currently, we just
> > > ignore missing root.crt and root.crl files. With this patch, we still
> > > do this, even if the user has given a specific nondefault location.
> > > That seems a bit odd, but I can't think of a simple way to do it better.
> >
> > There's a review in the CF app for this finding only minor issues, so
> > I'm marking this patch therein as "Ready for Committer".
>
> OK, no one had any concerns about the missing file behavior I
> described above? If not, then I'll commit it soon.
I'm still worried about this. If we ignore a missing root.crt, then the
effect is that authentication and certificate verification might fail,
which would be annoying, but you'd notice it soon enough. But if we
ignore a missing root.crl, we are creating a security hole.
Yes, ignoring a missing file in a security context is definitely not good. It should throw an error.
We have a few bad defaults from the old days around SSL for this, but if it requires breaking backwards compatibility to get it right, I think we should still do it.
My best idea at the moment is that we should set these parameters to
empty by default, and make users point them to existing files if they
want to use that functionality. Comments?
+1. Anybody who actually cares about setting up security is likely not going to rely on defaults anyway - and is certainly going to review whatever they are. So there should be no big problem there.
//Magnus
--
Magnus Hagander
Me:
http://www.hagander.net/ Work:
http://www.redpill-linpro.com/