<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=windows-1252">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11/03/2016 01:18, Viktor Dukhovni
wrote:<br>
</div>
<blockquote class=" cite"
id="mid_20160311001827_GK10917_mournblade_imrryr_org"
cite="mid:20160311001827.GK10917@mournblade.imrryr.org"
type="cite">
<pre wrap="">On Fri, Mar 11, 2016 at 12:56:04AM +0100, Jakob Bohm wrote:
</pre>
<blockquote class=" cite" id="Cite_6255853" type="cite">
<pre wrap="">Your reply below is a perfect illustration of the expected confusion.
</pre>
</blockquote>
<pre wrap="">Sorry, I disagree. The 1.1.0 changes fix various shortcomings that
may well also be addressed in a future 1.0.2 update.
The net effect is more consistent behaviour that is the same whether
intermediate certificates are found in the trust-store or obtained
from the peer. The few applications that enable partial chain
support and the likely zero users who've created "decorated"
intermediate certs in the OpenSSL trust store might notice some
change.
If you strongly feel that the behaviour should be the same for all
users, that sounds like support for backporting the changes, which
is something I will be proposing soon.
</pre>
</blockquote>
<tt>You misunderstand completely.</tt><tt><br>
</tt><tt><br>
</tt><tt>I am arguing that:</tt><tt><br>
</tt><tt><br>
</tt><tt> - 1.0.x behavior should not be changed, as it would
violate the <br>
principle of least surprise for a "security update" to change <br>
semantics.</tt><tt><br>
</tt><tt><br>
</tt><tt> - 1.1.0 behavior is better, if it was the only OpenSSL
version <br>
ever to exist, but it isn't.</tt><tt><br>
</tt><tt><br>
</tt><tt> - Therefore the 1.1.0 behavior should use the CA directory
shared <br>
with 1.0.x in a way consistent with how 1.0.x uses that
directory <br>
(as a repository for trust anchors only, as far as I understand
<br>
your non-replies), while 1.1.0 should store untrusted
intermediary <br>
certificates in a different directory where they don't affect <br>
1.0.x instances running on the same machine.</tt><tt><br>
</tt><br>
<br>
<pre class="moz-signature" cols="72">Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. <a class="moz-txt-link-freetext" href="https://www.wisemo.com">https://www.wisemo.com</a>
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded </pre>
</body>
</html>