-
Notifications
You must be signed in to change notification settings - Fork 8.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[FAB-17869] Allow TLS CAs with overlapping issuers (#1229)
The client root TLS CA certificate pool construction doesn't allow different issuers with the same subject name to exist in the CA cert pool. This prevents use cases where different organizations have issued CAs with the same subject name. There is little sense to prevent this in the first place, as there can be only 2 possible cases: I) The certificate chain validation of a TLS handshake allows this: In this case, Fabric should not artificially prevent supporting such scenarios. II) The certificate chain validation of a TLS handshake disallows this: In this case, there is little gained in skipping pluralities in subject name during TLS CA cert pool construction, as the chain validation would prevent it anyway. In fact, the way it is done in the current code in Fabric is not only un-necessary but also non-deterministic, as map iteration isn't deterministic in Go, therefore the behavior might not be the same across different nodes. This change set removes the artificial constraint, and adjust one of the integration tests that was built to adjust to the said constraint. Change-Id: Ie93c34997ad3e134a0a04b805fb007cd036d9683 Signed-off-by: yacovm <yacovm@il.ibm.com>
- Loading branch information
Showing
3 changed files
with
12 additions
and
80 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters