Revision ffcb4247
Added by Jim Pingle almost 2 years ago
| src/etc/inc/certs.inc | ||
|---|---|---|
| 2608 | 2608 |
if (empty($cert['prv']) && ($type == 'cert')) {
|
| 2609 | 2609 |
continue; |
| 2610 | 2610 |
} elseif (cert_check_pkey_compatibility($cert['prv'], $consumer) && |
| 2611 |
cert_check_digest_compatibility($type, $cert['crt'], $consumer)) {
|
|
| 2611 |
cert_check_digest_compatibility($type, $cert, $consumer)) {
|
|
| 2612 | 2612 |
if ($selectsource) {
|
| 2613 | 2613 |
$list[] = array('refid' => $cert['refid'],
|
| 2614 | 2614 |
'descr' => $cert['descr']); |
| ... | ... | |
| 2813 | 2813 |
'ca' => ['HTTPS'], |
| 2814 | 2814 |
'cert' => ['HTTPS', 'OpenVPN'], |
| 2815 | 2815 |
]; |
| 2816 |
return (!cert_has_weak_digest($cert) || |
|
| 2816 |
$usable = true; |
|
| 2817 |
/* HTTPS certificates must not have a weak entry anywhere in the CA+Cert |
|
| 2818 |
* chain */ |
|
| 2819 |
if (($type == 'cert') && |
|
| 2820 |
($consumer == 'HTTPS')) {
|
|
| 2821 |
$usable = !cert_chain_has_weak_digest($cert); |
|
| 2822 |
} else {
|
|
| 2823 |
$usable = !cert_has_weak_digest($cert['crt']); |
|
| 2824 |
} |
|
| 2825 |
return ($usable || |
|
| 2817 | 2826 |
!in_array($consumer, $nonweak_consumers[$type])); |
| 2818 | 2827 |
} |
| 2819 | 2828 |
|
Also available in: Unified diff
Correct HTTPS cert list. Fixes #14672
Make sure to exclude weak CA chains from list of HTTPS certificates.