View Issue Details

IDProjectCategoryView StatusLast Update
0000990Main CAcert Websiteaccount administrationpublic2014-06-08 09:53
ReporterINOPIAE Assigned ToBenBE  
PrioritynormalSeverityminorReproducibilityalways
Status fix availableResolutionopen 
Summary0000990: While revoking client certificate set login flag to false and block setting it back to true
DescriptionWhen a client certificate is revoked the login flag stays unchanged.
It is also possible to alter the login flag for revoked client certificates from false to true.
TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

related to 0000823 needs workUli60 No warning when removing e-mail adres from acount that certificates wil be revoked 

Activities

Uli60

2011-10-01 13:57

updater   ~0002560

related to tests under bug 0000823
it does not make sense to take care about addtl. settings

see report
https://bugs.cacert.org/view.php?id=823#c2558
many client certs created with login-allowed and login-not-allowed

all revoked certs are prevented from login thru cert-login
either certs set with login-allowed or not
the cert-login allowed/not-allowed is a flag that is _not_ included
into a client cert. its an addtl. setting in the database and is only checked in login procedure if client certs are identified as valid
so every revoked, pending or other client-certs state != valid is prevented from successful login so the severity is 0

Uli60

2011-10-01 14:01

updater   ~0002561

its very very questionable that this needs a fix

client-cert login is prevented if a client certs state is NE valid
no matter other settings

revoked certs are listed as "hidden" (you have actively select show _all_ client certs in an account, to reach the page where you can change the setting for login allowed/not-allowed setting related to a cert -and-
it has no effect if you enable or disable a login-allowed setting on a revoked client cert

INOPIAE

2014-03-16 08:56

updater   ~0004644

I pushed a fix to https://github.com/INOPIAE/CAcert/tree/bug-990

We should use the following sql query as cleanup for all existing revoked client certificates
Update `emailcerts` set `disablelogin`=1 where `revoked`!='0000-00-00 00:00:00'

INOPIAE

2014-03-23 17:46

updater   ~0004677

I extended the bug to handle the expired certs similar to the revoked once.
There is a new cron script for the cleanup of expired and revoked certificates that should run once a an hour.
The fix is avilable under https://github.com/INOPIAE/CAcert/tree/bug-990

To test:
Go to the account and see if revoked and expired client certificates show the login flag. The checkbox should be disabled and empty.

With an unassured account create new certificates and check them one week later if the expired certs are disabled.

Create a new certificate and revoke it again. After the revokation the revoked certificate should be disabled.

INOPIAE

2014-06-08 09:42

updater   ~0004805

Last edited: 2014-06-08 09:53

View 2 revisions

I merged the branch with the recent release and testserver-stable branches.
The fix is avilable under https://github.com/INOPIAE/CAcert/tree/bug-990 [^]

Issue History

Date Modified Username Field Change
2011-10-01 07:21 INOPIAE New Issue
2011-10-01 13:47 Uli60 Relationship added related to 0000823
2011-10-01 13:57 Uli60 Note Added: 0002560
2011-10-01 14:01 Uli60 Note Added: 0002561
2011-10-01 14:01 Uli60 Assigned To => Uli60
2011-10-01 14:01 Uli60 Status new => needs feedback
2014-03-16 08:49 INOPIAE Assigned To Uli60 => INOPIAE
2014-03-16 08:56 INOPIAE Note Added: 0004644
2014-03-16 08:56 INOPIAE Status needs feedback => needs work
2014-03-16 08:56 INOPIAE Assigned To INOPIAE => BenBE
2014-03-16 08:56 INOPIAE Status needs work => fix available
2014-03-23 17:46 INOPIAE Note Added: 0004677
2014-06-08 09:42 INOPIAE Note Added: 0004805
2014-06-08 09:53 INOPIAE Note Edited: 0004805 View Revisions