My view is that code should follow the RFC (in this case RFC3820) where possible, and hence this should be put in the queue as higher priority - especially since it could have potential security implications. Regards,Nick Prowse
------------------- Wed Feb 03 13:53:45 2016 Rich Salz - Correspondence added Download (untitled) / with headers text/html 149bRe-opening it. It would be good to decide soon if we should do this. -- Rich Salz, OpenSSL dev team; rs...@openssl.org -------------------- Date: Tue, 2 Feb 2016 01:44:36 +0000 Subject: Re: [openssl-dev] [openssl.org #1852] [BUG] Invalid Proxy Certificates Pass Validation From: Viktor Dukhovni <openssl-us...@dukhovni.org> CC: chad.laj...@switch.ch To: r...@openssl.org, openssl-dev@openssl.org On Mon, Feb 01, 2016 at 07:18:04PM +0000, Rich Salz via RT wrote: Hide quoted text > This is reported against 0.9.x; please open a new ticket if still a problem > with current releases. The same behaviour is present in all releases including master. I don't see any code in OpenSSL that imposes any constraints on the subject names of proxy certificates. If strict adherence to the rules in RFC3820 is important for security (I don't where proxy certs are used and what real semantics applications expect), then this issue remains to be addressed. Perhaps reopen this one. -- Viktor. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4430 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
