AW: AW: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?.

desktop to wget in the VM. -Ursprüngliche Nachricht- Von: openssl-users Im Auftrag von Viktor Dukhovni Gesendet: Freitag, 16. September 2022 16:22 An: openssl-users@openssl.org Betreff: Re: AW: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?. On Fri, Sep 16, 2022

Re: AW: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?.

On Fri, Sep 16, 2022 at 02:11:38PM +, Andrew Lynch via openssl-users wrote: > http://sm-pkitest.atos.net/cert/Atos-Smart-Grid-Test.CA.2.crt > > I’ve also asked my colleagues why the download is http instead of https… You should look to multiple independent sources to validate the

AW: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?.

-users Im Auftrag von Andrew Lynch via openssl-users Gesendet: Freitag, 16. September 2022 15:53 An: Corey Bonnell ; openssl-users@openssl.org Betreff: AW: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?. Hi Corey, I believe Victor has explained the issue sufficiently

AW: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?.

e he removed that everything was fine as the verify then used the self-signed SN2 root directly. Regards, Andrew. Von: Corey Bonnell Gesendet: Freitag, 16. September 2022 14:23 An: Andrew Lynch ; openssl-users@openssl.org Betreff: RE: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compar

Re: AW: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?.

On Fri, Sep 16, 2022 at 08:32:27AM +, Andrew Lynch via openssl-users wrote: > So is this a possible bug or a feature of OpenSSL 1.1.1? (using > 1.1.1n right now) OpenSSL 1.1.1 is doing the right thing. > If I set up the content of CAfile or CApath so that E <- D <- C <- A > is the only

RE: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?.

diagnosing the issue. Thanks, Corey From: openssl-users On Behalf Of Andrew Lynch via openssl-users Sent: Friday, September 16, 2022 4:32 AM To: openssl-users@openssl.org Subject: AW: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?. So is this a possible bug

AW: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?.

rstag, 15. September 2022 19:51 An: Andrew Lynch Cc: openssl-users@openssl.org Betreff: Re: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?. Assuming that all self-signed certificates are trusted (here, A and B), then providing a CAfile with D+C+B+A to validate E, the different

Re: Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?

On Thu, Sep 15, 2022 at 05:34:07PM +, Andrew Lynch via openssl-users wrote: > Why is OpenSSL 1.0.2 verifying successfully? Does it not check the > path length constraint or is it actually picking the depth 2 chain > instead of the depth 3? There are two important differences between 1.0.2

Re: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?.

Assuming that all self-signed certificates are trusted (here, A and B), then providing a CAfile with D+C+B+A to validate E, the different possible paths are: - E <- D <- B: this path is valid - E <- D <- C <- A: this path is valid In the validation algorithm described in RFC5280 and X.509, the

Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?

Hi, I would like to have my understanding of the following issue confirmed: Given a two-level CA where the different generations of Root cross-sign each other, the verification of an end-entity certificate fails with OpenSSL 1.1.1 - "path length constraint exceeded". With OpenSSL 1.0.2 the