RE: Best Practices for private key files handling

> From: openssl-users On Behalf Of Philip > Prindeville > Sent: Thursday, 15 September, 2022 15:41 > I was thinking of the case where the directory containing the keys (as > configured) is correctly owned, but contains a symlink pointing outside of > that directory somewhere else... say to a file

Re: Best Practices for private key files handling

On 9/15/2022 3:15 PM, Shawn Heisey via openssl-users wrote: If symlinks are used responsibly, they won't have security risks. In general, if the program checks the ownership and permissions of the actual file before using it, it shouldn't matter whether there is a symlink or not. As long as

Re: Best Practices for private key files handling

On 9/15/22 15:40, Philip Prindeville wrote: I was thinking of the case where the directory containing the keys (as configured) is correctly owned, but contains a symlink pointing outside of that directory somewhere else... say to a file owned by an ordinary user. In that case, as has been poin

Re: Best Practices for private key files handling

> On Sep 13, 2022, at 8:10 PM, Shawn Heisey via openssl-users > wrote: > > On 9/13/22 14:17, Philip Prindeville wrote: >> But what happens when the file we encounter is a symlink? If the symlink is >> owned by root but the target isn't, or the target permissions aren't 0600 0r >> 0400...

Re: Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?

On Thu, Sep 15, 2022 at 05:34:07PM +, Andrew Lynch via openssl-users wrote: > Why is OpenSSL 1.0.2 verifying successfully? Does it not check the > path length constraint or is it actually picking the depth 2 chain > instead of the depth 3? There are two important differences between 1.0.2 an

Re: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?.

Assuming that all self-signed certificates are trusted (here, A and B), then providing a CAfile with D+C+B+A to validate E, the different possible paths are: - E <- D <- B: this path is valid - E <- D <- C <- A: this path is valid In the validation algorithm described in RFC5280 and X.509, the p

Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?

Hi, I would like to have my understanding of the following issue confirmed: Given a two-level CA where the different generations of Root cross-sign each other, the verification of an end-entity certificate fails with OpenSSL 1.1.1 - "path length constraint exceeded". With OpenSSL 1.0.2 the sam