[openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format
Erwann Abalea via RT
rt at openssl.org
Fri Feb 12 11:11:08 UTC 2016
Bonjour,
Le 12 févr. 2016 à 01:11, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu<mailto:uri at ll.mit.edu>> a écrit :
Again, you are right, but what's the lesser evil - being unable to use the new OpenSSL because it refuses to deal with the cert that some dim-witten TPM maker screwed up, or accept a certificate with a (minor) violation of DER (but not of BER)? What bad in your opinion could happen if OpenSSL allowed parsing an integer with a leading zero byte (when it shouldn't be there by DER)?
As shown yesterday, this INTEGER encoding isn’t even valid BER.
Being liberal in what you accept, when dealing with crypto, gives you stuff like this: https://www.mozilla.org/en-US/security/advisories/mfsa2014-73/
Cordialement,
Erwann Abalea
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4301
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list