Hi,
> Basically - a root of trust is something sacrosanct. If you said "use
> this root of trust" and somehow that fails, trying to run more code
> when you *know* the requested root of trust did not work is very very
> wrong. Do not proceed further, do not pass go, do not try to validate
> the
Yes, I mean the program should exit with an error message if the
requested CA file (either the default, or via -CAfile) can't be
loaded.
On Fri, Apr 1, 2016 at 8:44 AM, Florian Zumbiehl wrote:
> Hi,
>
>> Florian I'm happy to look at this now with you
>>
>> But based on the old discussion I'm not
Basically - a root of trust is something sacrosanct. If you said "use
this root of trust" and somehow that fails, trying to run more code
when you *know* the requested root of trust did not work is very very
wrong. Do not proceed further, do not pass go, do not try to validate
the certificate any
Hi,
> Florian I'm happy to look at this now with you
>
> But based on the old discussion I'm not certain I'm happy with the
> final result.
>
> IMO - here's what we need in these:
>
> 1) If you specify nothing, you should get the default.
> 2) If you specify a CAfile, and there is no failure
Florian I'm happy to look at this now with you
But based on the old discussion I'm not certain I'm happy with the
final result.
IMO - here's what we need in these:
1) If you specify nothing, you should get the default.
2) If you specify a CAfile, and there is no failure in loading it,
you shou
Hi,
it occured to me that this patch that I submitted quite a while ago still
hasn't been merged and discussion about it back then got stuck due to a
release being prepared or something--so, here I submit it again, though you
might want to read the discussion on the thread from 2014 that I am
repl
On Mon, Aug 4, 2014 at 1:33 PM, Florian Zumbiehl wrote:
> ping?
>
We're basically in release lock right now, so this sort of behavioral
change, particularly one diverging from OpenSSL, is a bit too risky for
this moment. Ping again when we go back to -current and we can figure out
what to do at
ping?
Hi,
> Ha! Ain't this code great! You're correct that I misread it. So right
> now:
> * If you don't specify either option, no CAs will be available
> * if you specify -CAfile and it can't be loaded, then no CAs will be
> available
> * if you specify -CApath and either it's the zero-length pa
On Sun, Jul 27, 2014 at 3:49 AM, Florian Zumbiehl wrote:
>
> > Is this an area where the current behavior cannot be used safely? No.
> > Indeed, using CAs in circumstances where OpenSSL doesn't may create
> > security issues for existing scripts using the openssl command.
> >
> > *If* using the
Hi,
[...]
> Is this an area where the current behavior cannot be used safely? No.
> Indeed, using CAs in circumstances where OpenSSL doesn't may create
> security issues for existing scripts using the openssl command.
>
> *If* using the compiled in paths is correct, then I would think using the
On Sun, Jul 27, 2014 at 2:16 AM, Florian Zumbiehl wrote:
> ping?
>
> > This is a fix for OpenSSL tickets #977 and #3213, loosely based on patch
> from
> > Reuben Thomas from #3213.
>
Hmm, what a mess. The "smime" and "ocsp" subcommands use an internal
function setup_verify() to get the compiled
ping?
> This is a fix for OpenSSL tickets #977 and #3213, loosely based on patch from
> Reuben Thomas from #3213.
> ---
> src/apps/s_client.c |5 +++--
> src/apps/s_server.c | 10 ++
> src/apps/s_time.c |5 +++--
> 3 files changed, 12 insertions(+), 8 deletions(-)
>
> diff --
This is a fix for OpenSSL tickets #977 and #3213, loosely based on patch from
Reuben Thomas from #3213.
---
src/apps/s_client.c |5 +++--
src/apps/s_server.c | 10 ++
src/apps/s_time.c |5 +++--
3 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/src/apps/s_client.c
14 matches
Mail list logo