View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000990||Main CAcert Website||account administration||public||2011-10-01 07:21||2014-06-08 09:53|
|Summary||0000990: While revoking client certificate set login flag to false and block setting it back to true|
|Description||When a client certificate is revoked the login flag stays unchanged.|
It is also possible to alter the login flag for revoked client certificates from false to true.
|Tags||No tags attached.|
related to tests under bug 0000823
it does not make sense to take care about addtl. settings
many client certs created with login-allowed and login-not-allowed
all revoked certs are prevented from login thru cert-login
either certs set with login-allowed or not
the cert-login allowed/not-allowed is a flag that is _not_ included
into a client cert. its an addtl. setting in the database and is only checked in login procedure if client certs are identified as valid
so every revoked, pending or other client-certs state != valid is prevented from successful login so the severity is 0
its very very questionable that this needs a fix
client-cert login is prevented if a client certs state is NE valid
no matter other settings
revoked certs are listed as "hidden" (you have actively select show _all_ client certs in an account, to reach the page where you can change the setting for login allowed/not-allowed setting related to a cert -and-
it has no effect if you enable or disable a login-allowed setting on a revoked client cert
I pushed a fix to https://github.com/INOPIAE/CAcert/tree/bug-990
We should use the following sql query as cleanup for all existing revoked client certificates
Update `emailcerts` set `disablelogin`=1 where `revoked`!='0000-00-00 00:00:00'
I extended the bug to handle the expired certs similar to the revoked once.
There is a new cron script for the cleanup of expired and revoked certificates that should run once a an hour.
The fix is avilable under https://github.com/INOPIAE/CAcert/tree/bug-990
Go to the account and see if revoked and expired client certificates show the login flag. The checkbox should be disabled and empty.
With an unassured account create new certificates and check them one week later if the expired certs are disabled.
Create a new certificate and revoke it again. After the revokation the revoked certificate should be disabled.
I merged the branch with the recent release and testserver-stable branches.
The fix is avilable under https://github.com/INOPIAE/CAcert/tree/bug-990 [^]
|2011-10-01 07:21||INOPIAE||New Issue|
|2011-10-01 13:47||Uli60||Relationship added||related to 0000823|
|2011-10-01 13:57||Uli60||Note Added: 0002560|
|2011-10-01 14:01||Uli60||Note Added: 0002561|
|2011-10-01 14:01||Uli60||Assigned To||=> Uli60|
|2011-10-01 14:01||Uli60||Status||new => needs feedback|
|2014-03-16 08:49||INOPIAE||Assigned To||Uli60 => INOPIAE|
|2014-03-16 08:56||INOPIAE||Note Added: 0004644|
|2014-03-16 08:56||INOPIAE||Status||needs feedback => needs work|
|2014-03-16 08:56||INOPIAE||Assigned To||INOPIAE => BenBE|
|2014-03-16 08:56||INOPIAE||Status||needs work => fix available|
|2014-03-23 17:46||INOPIAE||Note Added: 0004677|
|2014-06-08 09:42||INOPIAE||Note Added: 0004805|
|2014-06-08 09:53||INOPIAE||Note Edited: 0004805|