[openssl-dev] [openssl.org #4430] #1852: [BUG] Invalid Proxy Certificates Pass Validation

[Nicholas Prowse via RT]

My view is that code should follow the RFC (in this case RFC3820) where possible, and hence this should be put in the queue as higher priority - especially since it could have potential security implications.
Regards,Nick Prowse

-------------------
Wed Feb 03 13:53:45 2016 
Rich Salz - Correspondence added  Download (untitled) / with headers
text/html 149bRe-opening it.  It would be good to decide soon if we should do this.
-- 
Rich Salz, OpenSSL dev team; rsalz at openssl.org
--------------------
Date:     Tue, 2 Feb 2016 01:44:36 +0000
Subject:     Re: [openssl-dev] [openssl.org #1852] [BUG] Invalid Proxy Certificates Pass Validation
From:     Viktor Dukhovni <openssl-users at dukhovni.org>
CC:     chad.lajoie at switch.ch
To:     rt at openssl.org, openssl-dev at openssl.org
On Mon, Feb 01, 2016 at 07:18:04PM +0000, Rich Salz via RT wrote:

Hide quoted text
> This is reported against 0.9.x; please open a new ticket if still a problem
> with current releases.

The same behaviour is present in all releases including master.
I don't see any code in OpenSSL that imposes any constraints on
the subject names of proxy certificates.

If strict adherence to the rules in RFC3820 is important for security
(I don't where proxy certs are used and what real semantics
applications expect), then this issue remains to be addressed.

Perhaps reopen this one.
-- 
 Viktor.
-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4430
Please log in as guest with password guest if prompted