The new isLocalPki checks added recently trust Local PKI certificates, regardless of their validity. This introduces some (admittedly bizarre) possibilities for accepting invalid certificates when using Convergence behind a proxy which terminates external sessions under the scope of a Local PKI CA.
The problem seems to be at client/chrome/content/workers/ConnectionWorker.js starting at line 65;
if (certificateInfo.isLocalPki) {
dump("Certificate is a local PKI cert.\n");
return {'status' : true,
'target' : target,
'certificate' : certificateInfo.original,
'details' : [{'notary' : 'Local PKI',
'status' : ConvergenceResponseStatus.VERIFICATION_SUCCESS}]};
}
We need to validate the LocalPKI cert for (at a minimum) validity period.
The new isLocalPki checks added recently trust Local PKI certificates, regardless of their validity. This introduces some (admittedly bizarre) possibilities for accepting invalid certificates when using Convergence behind a proxy which terminates external sessions under the scope of a Local PKI CA.
The problem seems to be at client/chrome/content/workers/ConnectionWorker.js starting at line 65; if (certificateInfo.isLocalPki) { dump("Certificate is a local PKI cert.\n"); return {'status' : true, 'target' : target, 'certificate' : certificateInfo.original, 'details' : [{'notary' : 'Local PKI', 'status' : ConvergenceResponseStatus.VERIFICATION_SUCCESS}]}; }
We need to validate the LocalPKI cert for (at a minimum) validity period.