-
Notifications
You must be signed in to change notification settings - Fork 530
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Correct client certificate validation policy on Windows and macOS. #1966
Conversation
Co-authored-by: Nick Banks <[email protected]>
This change passing this easily has me worried. Its making me wonder if somehow the right tests are not being ran in openssl. Something we should definitely double check. |
I also agree with this sentiment. We need to take a close look at the tests (with this PR) to (1) make sure the existing tests are working and (2) add any tests that we are missing to actually validate this. The fact that tests passed without this change is bad. |
Also, CLOG failed, so you need to regen the sidecar/headers. |
@@ -87,15 +87,12 @@ CxPlatTlsVerifyCertificate( | |||
CertFlags |= CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT; | |||
} | |||
|
|||
uint32_t IgnoreFlags = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel like I did this on purpose when I wrote it, but I don't remember now, so I'm removing it.
The wrong certificate validation policy was being used for client certificates with OpenSSL on Windows and macOS. Closes #1803.