On 11/03/2016 01:18, Viktor Dukhovni wrote:
On Fri, Mar 11, 2016 at 12:56:04AM +0100, Jakob Bohm wrote:
Your reply below is a perfect illustration of the expected confusion.
Sorry, I disagree. The 1.1.0 changes fix various shortcomings that
may well also be addressed in a future 1.0.2 update.
The net effect is more consistent behaviour that is the same whether
intermediate certificates are found in the trust-store or obtained
from the peer. The few applications that enable partial chain
support and the likely zero users who've created "decorated"
intermediate certs in the OpenSSL trust store might notice some
change.
If you strongly feel that the behaviour should be the same for all
users, that sounds like support for backporting the changes, which
is something I will be proposing soon.
You misunderstand completely.
I am arguing that:
- 1.0.x behavior should not be changed, as it would violate the
principle of least surprise for a "security update" to change
semantics.
- 1.1.0 behavior is better, if it was the only OpenSSL version
ever to exist, but it isn't.
- Therefore the 1.1.0 behavior should use the CA directory shared
with 1.0.x in a way consistent with how 1.0.x uses that directory
(as a repository for trust anchors only, as far as I understand
your non-replies), while 1.1.0 should store untrusted intermediary
certificates in a different directory where they don't affect
1.0.x instances running on the same machine.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
