> On Jan 14, 2016, at 3:21 PM, Jouni Malinen <j...@w1.fi> wrote:
>
> On Thu, Jan 14, 2016 at 03:15:12PM -0500, Viktor Dukhovni wrote:
>>
>>> On Jan 14, 2016, at 2:38 PM, Viktor Dukhovni <openssl-us...@dukhovni.org>
>>> wrote:
>>>
>>> Thanks. That's enough info. Patch below.
>>
>> Or pull the master branch from github.
>
> Thanks! I confirmed that both the patch on top of pre-rel 2 (+ CRL fix)
> and the current master branch snapshot fixed all the test cases that I
> saw failing previously.
Thanks for the prompt error report. If you're willing to share your
test chains, and if it is likely to be not too difficult to include
them with the OpenSSL bundled tests, that might be worth looking into.
We definitely need more chain verification test cases, and yours failed
with the unpatched "openssl verify" when used just right:
$ openssl verify -trusted ca-incorrect.pem -untrusted ca.pem \
-purpose sslserver server.pem
The untrusted ca.pem came up trusted incorrectly. The new DANE-specific
chain tests are much more comprehensive at this time than the non-DANE
ones, we'll need to address that before the final release.
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
