Commit 4c1fc325 authored by Vincent Pelletier's avatar Vincent Pelletier

caucase.http: Accept user certificates signed by non-current CA.

Otherwise, client certificates issued before a new CA is used get rejected
once the new CA becomes current.
parent 03807a53
Pipeline #13366 passed with stage
in 0 seconds
......@@ -308,7 +308,10 @@ def getSSLContext(
# certificate.
#ssl_context.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
ssl_context.load_verify_locations(
cadata=utils.toUnicode(cau.getCACertificate()),
cadata=utils.toUnicode(b'\n'.join(
utils.dump_certificate(x)
for x in cau.getCACertificateList()
)),
)
http_cas_certificate_list = http_cas.getCACertificateList()
threshold_delta = datetime.timedelta(threshold, 0)
......
......@@ -1523,6 +1523,11 @@ class CaucaseTest(unittest.TestCase):
datetime.timedelta(100, 0),
)
self._startServer()
# A user certificate signed by the old CA must still be accetped
self._runClient(
'--user-key', new_user_key,
'--list-csr', # Whatever restricted operation
)
self._runClient(
'--mode', 'user',
# 100 days is longer than certificate life, so it will be immediately
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment