[openssl-dev] [openssl.org #3562] leading dots in nameConstraints ... bug report and patch
Salz, Rich via RT
rt at openssl.org
Thu Jan 1 19:07:07 UTC 2015
> This is a "security issue" in the sense that is a Type-II error (disallowing good
> guys). It affects thousands of sites and who-knows-how-many users.
Well, kinda. It disallows good guys who made a mistake and are violating the RFC. Sure, they're not written in stone and that particular RFC has its share of issues, but calling this a security issue doesn't seem right. Allowing greater interop, with minimal security exposure, seems a better way to put it. A more compliant fix is to re-issue the CA and its subordinates, while working the RFC issues through the IETF. But OpenSSL is very pragmatic.
> *** It would make sense to fix the nameConstraints bypass bug
> *** [openssl.org #3502] at the same time.
That's a bigger change and the RT commentary has lots of caveats about the code there as you know (since you wrote them).
> *** Otherwise the whole nameConstraints concept is pretty much
> *** pointless.
There are those who think that anyway.
More information about the openssl-dev
mailing list