On Fri, Jan 09, 2009, Jean-Marc Desperrier wrote: > > Stephen, can you elaborate on that response because from the patch it seems > that more than only client validation of the server signature in SSL > sessions is affected. > > cms/cms_sd.c is affected, but the consequence is only a missing error > message, right ? >
Yes. > ssl/s2_srvr.c ssl/s3_srvr.c : The error in those two file seems to mean > that server verification of DSA signed clients certificates is also > affected. > DSA cannot be used with SSLv2 so it is not affected. > apps/verify.c is affected. This is the "app" file, not "crypto", so chain > validation that is done in crypto is not affected. But if someone happens > to rely on the command line tool to do the verification, he may be > affected. > > apps/spkac.c is affected. This will not impact many people (command line > verification of Netscape format certificate request) but should be noted. > Agreed. > apps/x509.c is affected, but the impact seems extremely low affecting only > the code path to generate a self signed cert. > > Also it may be important to insist on the point that anybody who has > developed applications using openssl and using the existing code as a model > (cut/paste) is quite likely to be impacted by this problem. A detailed code analysis showed two cases where X509_verify_cert() could return -1. One is due to programmer error: not setting the certificate. The other is if an X509_LOOKUP requests a retry. This is something which has been about since the SSLeay days but never used. Effectively that means the function X509_verify_cert() in real world usage only returns 0 for failure and 1 for success. My colleagues however wanted to include the additional checks as a precautionary measure. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
