Commit 4c1fc325 authored by Vincent Pelletier's avatar Vincent Pelletier

caucase.http: Accept user certificates signed by non-current CA.

Otherwise, client certificates issued before a new CA is used get rejected
once the new CA becomes current.
parent 03807a53
...@@ -308,7 +308,10 @@ def getSSLContext( ...@@ -308,7 +308,10 @@ def getSSLContext(
# certificate. # certificate.
#ssl_context.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF #ssl_context.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
ssl_context.load_verify_locations( ssl_context.load_verify_locations(
cadata=utils.toUnicode(cau.getCACertificate()), cadata=utils.toUnicode(b'\n'.join(
utils.dump_certificate(x)
for x in cau.getCACertificateList()
)),
) )
http_cas_certificate_list = http_cas.getCACertificateList() http_cas_certificate_list = http_cas.getCACertificateList()
threshold_delta = datetime.timedelta(threshold, 0) threshold_delta = datetime.timedelta(threshold, 0)
......
...@@ -1523,6 +1523,11 @@ class CaucaseTest(unittest.TestCase): ...@@ -1523,6 +1523,11 @@ class CaucaseTest(unittest.TestCase):
datetime.timedelta(100, 0), datetime.timedelta(100, 0),
) )
self._startServer() self._startServer()
# A user certificate signed by the old CA must still be accetped
self._runClient(
'--user-key', new_user_key,
'--list-csr', # Whatever restricted operation
)
self._runClient( self._runClient(
'--mode', 'user', '--mode', 'user',
# 100 days is longer than certificate life, so it will be immediately # 100 days is longer than certificate life, so it will be immediately
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment