BIND 10 #1044: SSL/TLS certificate for b10-cmdctl is expired

BIND 10 Development do-not-reply at isc.org
Sun Nov 25 17:48:47 UTC 2012


#1044: SSL/TLS certificate for b10-cmdctl is expired
-------------------------------------+-------------------------------------
                   Reporter:  cas    |                 Owner:  jelte
                       Type:         |                Status:  reviewing
  defect                             |             Milestone:
                   Priority:         |  Sprint-20121204
  medium                             |            Resolution:
                  Component:  cmd-   |             Sensitive:  0
  ctl                                |           Sub-Project:  Core
                   Keywords:         |  Estimated Difficulty:  3.0
            Defect Severity:  High   |           Total Hours:  0
Feature Depending on Ticket:         |
  alpha2                             |
        Add Hours to Ticket:  0      |
                  Internal?:  0      |
-------------------------------------+-------------------------------------
Changes (by muks):

 * owner:  muks => jelte


Comment:

 Hi Jelte

 Apologies for the delay in responding as I had the day off on Friday.

 Replying to [comment:13 jelte]:
 > > * The way we overload Botan's `X509_Code` with our own extra values
 can
 > >   be problematic. The two should be separate I think. In case Botan
 adds
 > >   more values in future versions, it may clash with our values. In the
 > >   case of unittests, maybe we can regex-match the output in case we
 want
 > >   to check for Botan errors.
 > >
 >
 > I don't think I follow. Do you mean the exit codes we add? I don't think
 the addition would be a problem (i don't really see botan adding more than
 99 error codes); depending on the exit code in external scripts might,
 since we can't be sure botan doesn't *change* them. But in that case the
 best solution would probably be to exit with one fixed number for every
 non-zero botan code.

 If Botan adds a single additional enumeration constant = 100 into that
 enum, it will not break Botan's API or ABI, but it will break our
 assumption upon which this code is written. I merely want to point this
 out in the review, that's all. :)

 The changes look good, but they are a set of changes grouped together in a
 single commit with a log message "Fix review comments". :) It seems that
 one unrelated change in `perfdhcp` was included by mistake as well. I
 suggest breaking these into individual commits for each thing they
 address.

 What about Shane's comment about checking certificate expiry before using
 it (comment [comment:11])? Does the code already check the expiry time in
 the certificate?

-- 
Ticket URL: <http://bind10.isc.org/ticket/1044#comment:14>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development


More information about the bind10-tickets mailing list