Re: [Openvpn-devel] [PATCH 2/2] Implement using --peer-fingerprint without CA certificates

[Arne S. <ar...@rf...>]

Am 30.06.23 um 15:31 schrieb Maximilian Fillinger:
> The grammar in the 3rd sentence in the comment below is messed up. (I think I understand it, but I'm not sure.)
> 
>> +    if (session->opt->verify_hash_no_ca)
>> +    {
>> +        /*
>> +         * If we decide to verify the peer certificate based on the fingerprint
>> +         * we ignore wrong dates and the certificate not being trusted.
>> +         * Any other problem with the certificate (wrong key, bad cert,...)
>> +         * will still trigger an error.
>> +         * Clearing these flags relies on verify_cert will later rejecting a
>> +         * certificate that has no matching fingerprint.
>> +         */
>> +        uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED
>> +                                | MBEDTLS_X509_BADCERT_EXPIRED
>> +                                | MBEDTLS_X509_BADCERT_FUTURE;
>> +        *flags = *flags & ~flags_ignore;
>> +    }
>> +
> 
> Also, this comment is copied verbatim from Jason's commit 423ced962d which has been reverted. I'm not a lawyer, but since comments are relatively easy to rephrase, I think it's better to do that. My suggestion:

The comment is already mine. Jason never included an mBed TLS 
implementation. I attributed the commit to Jason but some of the code 
and this comment is already written by me.

Arne