[openssl-dev] [openssl.org #3502] nameConstraints bypass bug
Salz, Rich via RT
rt at openssl.org
Tue May 31 02:06:41 UTC 2016
> Note that other implementations treated this as a bug and fixed it a long time
> ago.
What other implementations, and what did they do? Always treating a CN as a DNS name? We can't.
> I'm not sure what "deprecated" and "mandated" mean in the openssl
> context. If openssl actually de-implemented CN-as-hostname and actually
> mandated SAN, that would solve the nameConstraints bypass bug in grand
> style.
Applications can do that now by setting the right flag, as Viktor pointed out. I think it's too late to make the default change for 1.1
> How about this for a heuristic: If nameConstraints are in effect, then the
> validator MUST NOT accept the CN as a DNS name. This seems like the least
> the validator could do, in light of the aforementioned deprecation.
Probably.
> -- The problem is not solved until bad guys are
> /required/ to use SAN;
Applications can make that happen now.
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3502
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list