View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000990 | Main CAcert Website | account administration | public | 2011-10-01 07:21 | 2014-06-08 09:53 |
Reporter | INOPIAE | Assigned To | BenBE | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | fix available | Resolution | open | ||
Summary | 0000990: While revoking client certificate set login flag to false and block setting it back to true | ||||
Description | When a client certificate is revoked the login flag stays unchanged. It is also possible to alter the login flag for revoked client certificates from false to true. | ||||
Tags | No tags attached. | ||||
Reviewed by | |||||
Test Instructions | |||||
|
related to tests under bug 0000823 it does not make sense to take care about addtl. settings see report https://bugs.cacert.org/view.php?id=823#c2558 many client certs created with login-allowed and login-not-allowed all revoked certs are prevented from login thru cert-login either certs set with login-allowed or not the cert-login allowed/not-allowed is a flag that is _not_ included into a client cert. its an addtl. setting in the database and is only checked in login procedure if client certs are identified as valid so every revoked, pending or other client-certs state != valid is prevented from successful login so the severity is 0 |
|
its very very questionable that this needs a fix client-cert login is prevented if a client certs state is NE valid no matter other settings revoked certs are listed as "hidden" (you have actively select show _all_ client certs in an account, to reach the page where you can change the setting for login allowed/not-allowed setting related to a cert -and- it has no effect if you enable or disable a login-allowed setting on a revoked client cert |
|
I pushed a fix to https://github.com/INOPIAE/CAcert/tree/bug-990 We should use the following sql query as cleanup for all existing revoked client certificates Update `emailcerts` set `disablelogin`=1 where `revoked`!='0000-00-00 00:00:00' |
|
I extended the bug to handle the expired certs similar to the revoked once. There is a new cron script for the cleanup of expired and revoked certificates that should run once a an hour. The fix is avilable under https://github.com/INOPIAE/CAcert/tree/bug-990 To test: Go to the account and see if revoked and expired client certificates show the login flag. The checkbox should be disabled and empty. With an unassured account create new certificates and check them one week later if the expired certs are disabled. Create a new certificate and revoke it again. After the revokation the revoked certificate should be disabled. |
|
I merged the branch with the recent release and testserver-stable branches. The fix is avilable under https://github.com/INOPIAE/CAcert/tree/bug-990 [^] |
Date Modified | Username | Field | Change |
---|---|---|---|
2011-10-01 07:21 | INOPIAE | New Issue | |
2011-10-01 13:47 | Uli60 | Relationship added | related to 0000823 |
2011-10-01 13:57 | Uli60 | Note Added: 0002560 | |
2011-10-01 14:01 | Uli60 | Note Added: 0002561 | |
2011-10-01 14:01 | Uli60 | Assigned To | => Uli60 |
2011-10-01 14:01 | Uli60 | Status | new => needs feedback |
2014-03-16 08:49 | INOPIAE | Assigned To | Uli60 => INOPIAE |
2014-03-16 08:56 | INOPIAE | Note Added: 0004644 | |
2014-03-16 08:56 | INOPIAE | Status | needs feedback => needs work |
2014-03-16 08:56 | INOPIAE | Assigned To | INOPIAE => BenBE |
2014-03-16 08:56 | INOPIAE | Status | needs work => fix available |
2014-03-23 17:46 | INOPIAE | Note Added: 0004677 | |
2014-06-08 09:42 | INOPIAE | Note Added: 0004805 | |
2014-06-08 09:53 | INOPIAE | Note Edited: 0004805 |