[Swan-dev] X509: more clearly log warning/errors based on NSS profile used

D. Hugh Redelmeier hugh at mimosa.com
Fri Feb 22 21:15:03 UTC 2019


commit 30f132ab693ccc852dc03c24879f1eae07dd1dd1
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 22 14:30:24 2019 -0500
	X509: more clearly log warning/errors based on NSS profile used

I'm working on this code too :-(

I sure wish I better understood what it is trying to do.

There is evidence that you (Paul) don't understand the code 100%
either.

-		log_bad_cert(cur_log->head);
+		log_bad_cert(usage == certificateUsageSSLClient ? "Warning" : "ERROR",
+				cur_log->head);

At this point, it is an ERROR.  There is no way that a different
"usage" will be tried.  As the comments above this say, the control
flow is tricky.

And why have two log messages for the same case?

I have rewritten (but not published) the code in a way that is
clearer, but still not clear enough.

I don't completely understand what "fin" means vs what "*bad" means.  And I
don't yet trust the original code to have this right.


More information about the Swan-dev mailing list