[openssl-project] Certificate fractional time processing in upcoming openssl releases

David Benjamin davidben at google.com
Wed Aug 15 13:35:19 UTC 2018


On Tue, Aug 14, 2018 at 2:17 PM Barry Fussell (bfussell) <bfussell at cisco.com>
wrote:

> As you might imagine we’ve continued investigating the overall impact.
> I’ve been told
>
> that in addition to IAIK that Bouncy Castle had similar issues. We are
> also aware of
>
> customers that will be impacted by the upcoming releases if certificates
> with fractional
>
> time fails to verify.
>

When you say Bouncy Castle has similar issues, do you mean that Bouncy
Castle additionally tolerates such things, or that Bouncy Castle also
generates non-compliant certificates? The former is not, in itself, a
reason to accept them certificates in OpenSSL. If the latter, do you have a
link to a bug filed with BouncyCastle? Whether or not OpenSSL accepts it,
Bouncy Castle should be fixed to match RFC 5280 going forward.

Likewise, do you have plans to fix the issue in your implementation? I
haven't confirmed this, but I don't believe Chrome or Firefox would accept
such certificates today.


> I think it’s important to maintain interoperability even in the event that
> there are
>
> minor profile violations.  If there is anything I can do to help move this
> forward
>
> please let me know.
>

While this may indeed be a case where OpenSSL must accept non-compliant
inputs, that is not good advice for implementations to follow in general.
This is part of the common interpretation of Postel's Law ("..., be liberal
in what you accept"), which has not fared well, particularly in the
security space.

See this document which describes the problems with this approach.
https://tools.ietf.org/html/draft-iab-protocol-maintenance-00


> Thanks !
>
>
>
> Barry
>
>
>
>
>
>
>
>
>
> [image: image002.jpg]
>
>
>
> *Barry Fussell*
> Technical Leader
> Security & Trust Organization
> bfussell at cisco.com
> Phone: *+1 919 392 2920 <(919)%20392-2920>*
>
> *Cisco Systems, Inc.*
> 7025-2 Kit Creek Road
> Research Triangle Park, NC 27709
> United States
> Cisco.com <http://www.cisco.com/>
>
>
>
> [image: image004.jpg]Think before you print.
>
> This email may contain confidential and privileged material for the sole
> use of the intended recipient. Any review, use, distribution or disclosure
> by others is strictly prohibited. If you are not the intended recipient (or
> authorized to receive for the recipient), please contact the sender by
> reply email and delete all copies of this message.
>
> Please click here
> <http://www.cisco.com/web/about/doing_business/legal/cri/index.html> for
> Company Registration Information.
>
>
>
>
>
>
> _______________________________________________
> openssl-project mailing list
> openssl-project at openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-project/attachments/20180815/fe55257b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 7270 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-project/attachments/20180815/fe55257b/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 952 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-project/attachments/20180815/fe55257b/attachment-0003.jpg>


More information about the openssl-project mailing list