moxie0
commented
12 years ago Thanks! fixed at 2699d3c4e562983aa500780448ebb3e0bf2384c8
Closed jjarmoc closed 12 years ago
moxie0
commented
12 years ago Thanks! fixed at 2699d3c4e562983aa500780448ebb3e0bf2384c8
The new isLocalPki checks added recently trust Local PKI certificates, regardless of their validity. This introduces some (admittedly bizarre) possibilities for accepting invalid certificates when using Convergence behind a proxy which terminates external sessions under the scope of a Local PKI CA.
The problem seems to be at client/chrome/content/workers/ConnectionWorker.js starting at line 65; if (certificateInfo.isLocalPki) { dump("Certificate is a local PKI cert.\n"); return {'status' : true, 'target' : target, 'certificate' : certificateInfo.original, 'details' : [{'notary' : 'Local PKI', 'status' : ConvergenceResponseStatus.VERIFICATION_SUCCESS}]}; }
We need to validate the LocalPKI cert for (at a minimum) validity period.