Todo #1438
closed
Add override for CSR request->response subject mismatch
Added by Yehuda Katz about 13 years ago.
Updated almost 13 years ago.
Description
Just a bit of bug checking and the code that I mentioned on the mailing list will be ready (I am waiting on my CA to issue another cert).
Thoughts: another way (the proper way) to check whether a CSR and CERT match without checking the subjects.
Compare the outputs of:
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5
Files
Here is the simple patch. A better one is on the way.
What I meant to say there is this patch fixes the problem.
I am working on a patch that will actually completely work around the problem by checking the modulus of the request and the response.
Also, I am not sure what happened to diff that the patch does not show up properly. Anyone know?
- Target version set to 2.0
tested this with a cert from namecheap, originally was seeing the issue described here, synced up to Yehuda's git clone and it then worked fine. Everything else looks to work as well, and the diff looks fine, needs another person to review.
My semester ends in about 2-3 weeks. At that point I will look around in the code for other places where this type of validation might be useful (maybe when creating regular certificates with public/private key).
I am not quite done yet, but I was looking at this ticket and there does not seem to be a way that I can update the percentage done field. I know it does not really matter, but I like to be complete if I can.
Yehuda - That option is only available to users with certain levels of access here. If you want to just add a note on the ticket with the % done you want, someone with access can change that for you. It's at 80% now.
On an unrelated note, when this is complete, ticket #1318 can also be closed since this will fix the problem.
Another note: Our repositories have moved from rcs.pfsense.org to github (https://github.com/bsdperimeter/pfsense), so you would need to make a new fork there and apply your patch, and then request a merge again if you want to go that route.
I already forked from GitHub and I am working from there.
I should have something to merge later today.
I was going through the files again and I found that there are no more places in the code that need this change.
This ticket can be marked as done.
My other SSL-related ticket (#1437) goes on...
- Status changed from New to Resolved
I didn't see a commit bringing this into mainline, is the patch on the ticket up to date? I just want to make sure we get the right code in.
a828210b746c074c1e701a44f5f2ec3a69ba368a
2594f4010b85e5f4571ba76a69e36a16f441b4e3
Ah, ok. I wasn't looking back far enough in the git log. Looks good, thanks!
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by