Hi,
> Basically - a root of trust is something sacrosanct. If you said "use
> this root of trust" and somehow that fails, trying to run more code
> when you *know* the requested root of trust did not work is very very
> wrong. Do not proceed further, do not pass go, do not try to validate
> the
Yes, I mean the program should exit with an error message if the
requested CA file (either the default, or via -CAfile) can't be
loaded.
On Fri, Apr 1, 2016 at 8:44 AM, Florian Zumbiehl wrote:
> Hi,
>
>> Florian I'm happy to look at this now with you
>>
>> But based on the old
Basically - a root of trust is something sacrosanct. If you said "use
this root of trust" and somehow that fails, trying to run more code
when you *know* the requested root of trust did not work is very very
wrong. Do not proceed further, do not pass go, do not try to validate
the certificate
Hi,
> Florian I'm happy to look at this now with you
>
> But based on the old discussion I'm not certain I'm happy with the
> final result.
>
> IMO - here's what we need in these:
>
> 1) If you specify nothing, you should get the default.
> 2) If you specify a CAfile, and there is no failure
Florian I'm happy to look at this now with you
But based on the old discussion I'm not certain I'm happy with the
final result.
IMO - here's what we need in these:
1) If you specify nothing, you should get the default.
2) If you specify a CAfile, and there is no failure in loading it,
you
Hi,
it occured to me that this patch that I submitted quite a while ago still
hasn't been merged and discussion about it back then got stuck due to a
release being prepared or something--so, here I submit it again, though you
might want to read the discussion on the thread from 2014 that I am
On Mon, Aug 4, 2014 at 1:33 PM, Florian Zumbiehl fl...@florz.de wrote:
ping?
We're basically in release lock right now, so this sort of behavioral
change, particularly one diverging from OpenSSL, is a bit too risky for
this moment. Ping again when we go back to -current and we can figure out
ping?
ping?
This is a fix for OpenSSL tickets #977 and #3213, loosely based on patch from
Reuben Thomas from #3213.
---
src/apps/s_client.c |5 +++--
src/apps/s_server.c | 10 ++
src/apps/s_time.c |5 +++--
3 files changed, 12 insertions(+), 8 deletions(-)
diff --git
On Sun, Jul 27, 2014 at 2:16 AM, Florian Zumbiehl fl...@florz.de wrote:
ping?
This is a fix for OpenSSL tickets #977 and #3213, loosely based on patch
from
Reuben Thomas from #3213.
Hmm, what a mess. The smime and ocsp subcommands use an internal
function setup_verify() to get the
Hi,
[...]
Is this an area where the current behavior cannot be used safely? No.
Indeed, using CAs in circumstances where OpenSSL doesn't may create
security issues for existing scripts using the openssl command.
*If* using the compiled in paths is correct, then I would think using the
On Sun, Jul 27, 2014 at 3:49 AM, Florian Zumbiehl fl...@florz.de wrote:
Is this an area where the current behavior cannot be used safely? No.
Indeed, using CAs in circumstances where OpenSSL doesn't may create
security issues for existing scripts using the openssl command.
*If* using
Hi,
Ha! Ain't this code great! You're correct that I misread it. So right
now:
* If you don't specify either option, no CAs will be available
* if you specify -CAfile and it can't be loaded, then no CAs will be
available
* if you specify -CApath and either it's the zero-length path ()
13 matches
Mail list logo