--- Comment #30 from Christopher Schultz <> ---
(In reply to Michael Osipov from comment #28)
> (In reply to Christopher Schultz from comment #27)
> > The issue is not whether or not anyone is still using OpenSSL 1.0.2 today,
> > but whether or not anyone still have keys and certs when when they /were/
> > using it in the past.
> That would also mean that they are years old and still valid...

Sure, but there is nothing wrong with that.

What if a CA used OpenSSL 1.0.2 in 2019 (the year of the last release in that
line) to mint their most-recent intermediate certificate(s)? Intermediate
certificates are typically valid for 10 years or so.

On the other hand, I think this is only a problem for keys and not
certificates, and it's very unlikely that Tomcat would be used to handle CA key
material. Those keys ought to be in HSMs and only used for signing, not for
typical web traffic.

Since it's already fixed (thanks, Mark!) this is an academic conversation, but
I do still think that supporting these types of files is reasonable.

You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to