- 14 Jul, 2018 4 commits
-
-
Vincent Pelletier authored
It is not expiration which is disabled, but pruning from database.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
For consistency with other places in caucase.
-
Vincent Pelletier authored
-
- 13 Jul, 2018 4 commits
-
-
Vincent Pelletier authored
No certificate is needed to be an anonymous client, only up-to-date CA and CRL are needed to validate service certificate.
-
Vincent Pelletier authored
Also, document why CA certificate expiration is not tracked explicitly.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
- 12 Jul, 2018 10 commits
-
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Contains a few handy commands to run before sending patches.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Otherwise, this port will fail https handshake if clients connects too early.
-
Vincent Pelletier authored
netloc is the public access point to a caucase instance. bind is the private access point to a caucase instance, which may be different (ex: NAT). Allow overriding netloc address with --bind. As a consequence, add support for multiple binds: a netloc may resolve to multiple addresses (ex: one IPv4, one global IPv6 and one Unique Local Address). As a further consequence, systematically disable automatic IPv4 binding when binding to an IPv6 address. Also, allow overriding netloc port with --base-port. The same port pair will be used on all bound hosts. Share SSL context between multiple https sockets. To increase binding visibility, print bindings, and print when exiting.
-
Vincent Pelletier authored
pyca/cryptography 21st release is out and caucase already requires is_signature_valid. Also, literal IPv6 CRL distribution points do not fail anymore - add test. No more known 1.0 blockers ! Weee !
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Also, remove irrelevant key usage extension, as during certificate renewal the extensions of the existing certificate are used, not the ones of the certificate signing request.
-
Vincent Pelletier authored
Found by shellcheck.
-
- 08 Jul, 2018 1 commit
-
-
Vincent Pelletier authored
Do not rely on test's -a & -o. Escape backslashes which are intended as literals. Avoid one useless "cat". Avoid testing $?. Simplify "is integer ?" test. Quote a few variable expansions. Arithmetic expression does not need explicit expansion. Split declaration and assignment to unmask status. Disable shellcheck warning about "local" being undefined in POSIX.
-
- 04 Nov, 2017 9 commits
-
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Also, drop redundant HTTP version fallback: this is already handled in BaseHTTPRequestHandler.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Export is already provided by the regular protocol.
-
Vincent Pelletier authored
CRL object comparison does not check the list of revoked certificates. Instead, compare signatures as they are supposed to be all-inclusive.
-
Vincent Pelletier authored
-
- 03 Nov, 2017 12 commits
-
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Thanks, pylint.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Too many issues with processes not willing to shutdown. Instead, spawn threads, use an event to stop caucased while sleeping, and make it stop its http[s] servers more gracefully. Increases realiability of tests, especially when checking coverage.
-
Vincent Pelletier authored
For offline database administration: restoring backups, importing and exporting CA key pairs.
-
Vincent Pelletier authored
For easier use when renewing a single certificate after restoring backups, for example.
-
Vincent Pelletier authored
Also, makes them not count against the maximum number of auto-emitted certificates.
-
Vincent Pelletier authored
Also, inline createCAKeyPair method in its only caller. This was not intended to be part of the API. Prepares support for externally-provided CA certificates.
-
Vincent Pelletier authored
This is called from many places which make sense to call independently and should not conflict. So protect against parallel CA renewal. Result code will never block: a single thread will process renewal, concurrent threads will just use the still-valid latest CA.
-
Vincent Pelletier authored
This is fixed in latest cryptography module. Forgotten when cryptography minimal version was bumped to 2.1.1 .
-