[openssl-dev] Is X509_V_FLAG_TRUSTED_FIRST safe to backport to 1.0.1
Fedor Indutny
fedor at indutny.com
Thu Jan 15 14:13:49 UTC 2015
Hello!
During the course of deprecation of stale 1024bit CA certs,
node.js and io.js project teams have identified the problem with
how OpenSSL client handles the server's certificate chain. It is
quite evident that it ignores certificate store and loads issuer
from the chain that was received. This leads to the problems with
AWS and probably other service providers who sent the stale
**alternative** certificate chain with same serial numbers, but
1024bit CA certificates.
I have already tried proposing a solution to the OpenSSL team:
https://www.mail-archive.com/openssl-dev@openssl.org/msg37721.html
But one of the node.js contributors we have found this commit (from 2010):
https://github.com/openssl/openssl/commit/db28aa86e00b9121bee94d1e65506bf22d5ca6e3
The main question that I have is:
Is it safe to float this patch on top of 1.0.1k and use it? From
my knowledge of code it appears to be pretty harmless, however
the fact that it wasn't backported in 5 years makes me wonder if
it was considered safe after all.
Thank you,
Fedor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150115/18723003/attachment.html>
More information about the openssl-dev
mailing list