Navigation

Changeset 1184:8c340f832127 in freeDiameter for libfdcore


Ignore:
Timestamp:
Jun 6, 2013, 8:05:36 PM (11 years ago)
Author:
Sebastien Decugis <sdecugis@freediameter.net>
Branch:
default
Phase:
public
Message:

Remove auto-use of the certificate as CA when CA was not provided, since now TLS_cred can be ignored when TLS is not used.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • libfdcore/config.c

    r1181 r1184  
    279279        }
    280280       
    281         /* If the CA is not provided, let's use the same file (assuming self-signed certificate) */
    282         if ((!fd_g_config->cnf_sec_data.tls_disabled) && (!fd_g_config->cnf_sec_data.ca_file)) {
    283                 CHECK_MALLOC( fd_g_config->cnf_sec_data.ca_file = strdup(fd_g_config->cnf_sec_data.cert_file) );
    284                 CHECK_GNUTLS_DO( fd_g_config->cnf_sec_data.ca_file_nr += gnutls_certificate_set_x509_trust_file(
    285                                         fd_g_config->cnf_sec_data.credentials,
    286                                         fd_g_config->cnf_sec_data.ca_file,
    287                                         GNUTLS_X509_FMT_PEM),
    288                                 {
    289                                         TRACE_ERROR("Unable to use the local certificate as trusted security anchor (CA), please provide a valid TLS_CA='...' directive.");
    290                                         return EINVAL;
    291                                 } );
    292         }
    293        
    294        
    295281        /* Resolve hostname if not provided */
    296282        if (fd_g_config->cnf_diamid == NULL) {
     
    453439                                fd_log_debug("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file);
    454440                                if (output & GNUTLS_CERT_SIGNER_NOT_FOUND)
    455                                         TRACE_ERROR(" - The certificate hasn't got a known issuer.");
     441                                        TRACE_ERROR(" - The certificate hasn't got a known issuer. Did you forget to specify TLS_CA ?");
    456442                                if (output & GNUTLS_CERT_SIGNER_NOT_CA)
    457443                                        TRACE_ERROR(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints.");
Note: See TracChangeset for help on using the changeset viewer.