Bonjour, Le 12 févr. 2016 à 01:11, Blumenthal, Uri - 0553 - MITLL <[email protected]<mailto:[email protected]>> a écrit :
Again, you are right, but what's the lesser evil - being unable to use the new OpenSSL because it refuses to deal with the cert that some dim-witten TPM maker screwed up, or accept a certificate with a (minor) violation of DER (but not of BER)? What bad in your opinion could happen if OpenSSL allowed parsing an integer with a leading zero byte (when it shouldn't be there by DER)? As shown yesterday, this INTEGER encoding isn’t even valid BER. Being liberal in what you accept, when dealing with crypto, gives you stuff like this: https://www.mozilla.org/en-US/security/advisories/mfsa2014-73/ Cordialement, Erwann Abalea
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
