|
 |
937096 |
From 0de93c9e1597b20f71bb61d5375ded546cfd2fa8 Mon Sep 17 00:00:00 2001
|
|
|
937096 |
From: Jiri Vymazal <jvymazal@redhat.com>
|
|
|
937096 |
Date: Wed, 11 Dec 2019 15:35:26 +0100
|
|
|
937096 |
Subject: [PATCH] Changed default for permitExpiredCerts to "off"
|
|
|
937096 |
|
|
|
937096 |
This is to be conssitent with rsyslog's prior behavior where
|
|
|
937096 |
expired certs were automatically rejected
|
|
|
937096 |
---
|
|
|
937096 |
runtime/nsd_gtls.c | 10 +++++-----
|
|
|
937096 |
runtime/nsd_ossl.c | 8 ++++----
|
|
|
937096 |
2 files changed, 9 insertions(+), 9 deletions(-)
|
|
|
937096 |
|
|
|
937096 |
diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
|
|
|
937096 |
index 5df12994d1..2be0ca9c92 100644
|
|
|
937096 |
--- a/runtime/nsd_gtls.c
|
|
|
937096 |
+++ b/runtime/nsd_gtls.c
|
|
|
937096 |
@@ -1461,16 +1461,16 @@ SetPermitExpiredCerts(nsd_t *pNsd, uchar *mode)
|
|
|
937096 |
nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd;
|
|
|
937096 |
|
|
|
937096 |
ISOBJ_TYPE_assert((pThis), nsd_gtls);
|
|
|
937096 |
- /* default is set to warn! */
|
|
|
937096 |
- if(mode == NULL || !strcasecmp((char*)mode, "warn")) {
|
|
|
937096 |
- pThis->permitExpiredCerts = GTLS_EXPIRED_WARN;
|
|
|
937096 |
- } else if(!strcasecmp((char*) mode, "off")) {
|
|
|
937096 |
+ /* default is set to off! */
|
|
|
937096 |
+ if(mode == NULL || !strcasecmp((char*)mode, "off")) {
|
|
|
937096 |
pThis->permitExpiredCerts = GTLS_EXPIRED_DENY;
|
|
|
937096 |
+ } else if(!strcasecmp((char*) mode, "warn")) {
|
|
|
937096 |
+ pThis->permitExpiredCerts = GTLS_EXPIRED_WARN;
|
|
|
937096 |
} else if(!strcasecmp((char*) mode, "on")) {
|
|
|
937096 |
pThis->permitExpiredCerts = GTLS_EXPIRED_PERMIT;
|
|
|
937096 |
} else {
|
|
|
937096 |
LogError(0, RS_RET_VALUE_NOT_SUPPORTED, "error: permitexpiredcerts mode '%s' not supported by "
|
|
|
937096 |
- "ossl netstream driver", mode);
|
|
|
937096 |
+ "gtls netstream driver", mode);
|
|
|
937096 |
ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED);
|
|
|
937096 |
}
|
|
|
937096 |
|
|
|
937096 |
diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
|
|
|
937096 |
index 4f8dd845ab..ebb2537d72 100644
|
|
|
937096 |
--- a/runtime/nsd_ossl.c
|
|
|
937096 |
+++ b/runtime/nsd_ossl.c
|
|
|
937096 |
@@ -1130,11 +1130,11 @@ SetPermitExpiredCerts(nsd_t *pNsd, uchar *mode)
|
|
|
937096 |
nsd_ossl_t *pThis = (nsd_ossl_t*) pNsd;
|
|
|
937096 |
|
|
|
937096 |
ISOBJ_TYPE_assert((pThis), nsd_ossl);
|
|
|
937096 |
- /* default is set to warn! */
|
|
|
937096 |
- if(mode == NULL || !strcasecmp((char*)mode, "warn")) {
|
|
|
937096 |
- pThis->permitExpiredCerts = OSSL_EXPIRED_WARN;
|
|
|
937096 |
- } else if(!strcasecmp((char*) mode, "off")) {
|
|
|
937096 |
+ /* default is set to off! */
|
|
|
937096 |
+ if(mode == NULL || !strcasecmp((char*)mode, "off")) {
|
|
|
937096 |
pThis->permitExpiredCerts = OSSL_EXPIRED_DENY;
|
|
|
937096 |
+ } else if(!strcasecmp((char*) mode, "warn")) {
|
|
|
937096 |
+ pThis->permitExpiredCerts = OSSL_EXPIRED_WARN;
|
|
|
937096 |
} else if(!strcasecmp((char*) mode, "on")) {
|
|
|
937096 |
pThis->permitExpiredCerts = OSSL_EXPIRED_PERMIT;
|
|
|
937096 |
} else {
|