Page MenuHomeFreeBSD

certctl: fix blacklist handling
Needs ReviewPublic

Authored by kevans on Sat, Jan 9, 5:27 AM.



Previous versions used a bogus /etc/ssl/blacklisted setup to manage the
blacklist, which had a number of issues. Most notably, certctl blacklist
could not possibly work as the next rehash would remove it from
/etc/ssl/blacklisted if it wasn't added to one of the source directories
that generate it.

This is basically just a certctl concept anyways, since applications will
not honor it. Replace it with a tempdir that we'll hash the blacklist into
as-needed (for more efficient lookups).

Additionally, add in a /usr/local/share/certs/blacklisted that
certctl blacklist will install certs into. certctl unblacklist will
search all of the paths we can have them at and remove all matching certs
that it finds.

PR: 250681

Diff Detail

rS FreeBSD src repository - subversion
Lint OK
No Unit Test Coverage
Build Status
Buildable 36055
Build 32944: arc lint + arc unit