BIND 10 #1044: SSL/TLS certificate for b10-cmdctl is expired
BIND 10 Development
do-not-reply at isc.org
Sun Nov 25 17:48:47 UTC 2012
#1044: SSL/TLS certificate for b10-cmdctl is expired
-------------------------------------+-------------------------------------
Reporter: cas | Owner: jelte
Type: | Status: reviewing
defect | Milestone:
Priority: | Sprint-20121204
medium | Resolution:
Component: cmd- | Sensitive: 0
ctl | Sub-Project: Core
Keywords: | Estimated Difficulty: 3.0
Defect Severity: High | Total Hours: 0
Feature Depending on Ticket: |
alpha2 |
Add Hours to Ticket: 0 |
Internal?: 0 |
-------------------------------------+-------------------------------------
Changes (by muks):
* owner: muks => jelte
Comment:
Hi Jelte
Apologies for the delay in responding as I had the day off on Friday.
Replying to [comment:13 jelte]:
> > * The way we overload Botan's `X509_Code` with our own extra values
can
> > be problematic. The two should be separate I think. In case Botan
adds
> > more values in future versions, it may clash with our values. In the
> > case of unittests, maybe we can regex-match the output in case we
want
> > to check for Botan errors.
> >
>
> I don't think I follow. Do you mean the exit codes we add? I don't think
the addition would be a problem (i don't really see botan adding more than
99 error codes); depending on the exit code in external scripts might,
since we can't be sure botan doesn't *change* them. But in that case the
best solution would probably be to exit with one fixed number for every
non-zero botan code.
If Botan adds a single additional enumeration constant = 100 into that
enum, it will not break Botan's API or ABI, but it will break our
assumption upon which this code is written. I merely want to point this
out in the review, that's all. :)
The changes look good, but they are a set of changes grouped together in a
single commit with a log message "Fix review comments". :) It seems that
one unrelated change in `perfdhcp` was included by mistake as well. I
suggest breaking these into individual commits for each thing they
address.
What about Shane's comment about checking certificate expiry before using
it (comment [comment:11])? Does the code already check the expiry time in
the certificate?
--
Ticket URL: <http://bind10.isc.org/ticket/1044#comment:14>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list