- Handle the case the signing certificate changed. The ssl_crtd daemon
must drop cached certificates which has signed with older signing
certificates and generate new one using the current signing certificate
- We need to generate certificates with different serial numbers, if the
signing certificate has changes in any way, even if the certificates has
exactly the same fields.
To achieve this we are firstly generating a temporary fake certificate with
serial number the hash digest of signing certificates public key. The digest
of the temporary fake certificate used as serial key to the final certificate
- Bug fix: A cached certificate which has adaptated with one or more algorithms
(setNotAfter, setNotBefore, setCommonName etc) did not used and always a new
certificate generated. This patch fixes this bug.
Notes:
- Ssl::ssl_match_certificates replaced with Ssl::certificateMatchesProperties
function which checks if a given certificate matches given properties:
Checks if the certificate signed with current signing certificate, and
check if mimicked certificate matches the given certificate.
- The Ssl::CertificateDb::purgeCert method added to delete a certificate from
database.
projects / thirdparty / squid.git / commit
