From 28408fcea7b449fd43802b26fa9a6ebfc3fad0d4 Mon Sep 17 00:00:00 2001 From: Simon Rozman Date: Mon, 3 Oct 2016 09:35:45 +0200 Subject: [PATCH] ID 2. Missing functionality from security audit report partially fixed --- lib/TLS/src/Method.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/TLS/src/Method.cpp b/lib/TLS/src/Method.cpp index 25ebfbc..b617c1a 100644 --- a/lib/TLS/src/Method.cpp +++ b/lib/TLS/src/Method.cpp @@ -243,7 +243,7 @@ void eap::method_tls::begin_session( SCH_CRED_MANUAL_CRED_VALIDATION | // dwFlags: Prevent Schannel verify server certificate (we want to use custom root CA store and multiple name checking) #endif SCH_CRED_CACHE_ONLY_URL_RETRIEVAL_ON_CREATE | // dwFlags: Do not attempt online revocation check - we do not expect to have network connection yet - SCH_CRED_IGNORE_NO_REVOCATION_CHECK | // dwFlags: Ignore no-revocation-check errors (TODO: Test if this flag is required.) + SCH_CRED_IGNORE_NO_REVOCATION_CHECK | // dwFlags: Ignore no-revocation-check errors - as we cannot check for revocation, it makes little sense to insist certificate has to have revocation set-up SCH_CRED_IGNORE_REVOCATION_OFFLINE | // dwFlags: Ignore offline-revocation errors - we do not expect to have network connection yet SCH_CRED_NO_DEFAULT_CREDS | // dwFlags: If client certificate we provided is not acceptable, do not try to select one on your own (m_cfg.m_server_names.empty() ? SCH_CRED_NO_SERVERNAME_CHECK : 0) | // dwFlags: When no expected server name is given, do not do the server name check. @@ -565,7 +565,7 @@ void eap::method_tls::get_result( m_cfg.m_session_id.clear(); m_cfg.m_master_secret.clear(); #else - // TODO: Research how a Schannel session context can be cleared not to resume. + // TODO: Research how a Schannel session context can be cleared not to resume. However, until we find a way how to make Schannel resume session in the first place, we can safely ignore this. #endif break;