Hello! During the course of deprecation of stale 1024bit CA certs, node.js and io.js project teams have identified the problem with how OpenSSL client handles the server's certificate chain. It is quite evident that it ignores certificate store and loads issuer from the chain that was received. This leads to the problems with AWS and probably other service providers who sent the stale **alternative** certificate chain with same serial numbers, but 1024bit CA certificates.
I have already tried proposing a solution to the OpenSSL team: https://www.mail-archive.com/openssl-dev@openssl.org/msg37721.html But one of the node.js contributors we have found this commit (from 2010): https://github.com/openssl/openssl/commit/db28aa86e00b9121bee94d1e65506bf22d5ca6e3 The main question that I have is: Is it safe to float this patch on top of 1.0.1k and use it? From my knowledge of code it appears to be pretty harmless, however the fact that it wasn't backported in 5 years makes me wonder if it was considered safe after all. Thank you, Fedor.
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
