https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #30 from Christopher Schultz <ch...@christopherschultz.net> --- (In reply to Michael Osipov from comment #28) > (In reply to Christopher Schultz from comment #27) > > The issue is not whether or not anyone is still using OpenSSL 1.0.2 today, > > but whether or not anyone still have keys and certs when when they /were/ > > using it in the past. > > That would also mean that they are years old and still valid... Sure, but there is nothing wrong with that. What if a CA used OpenSSL 1.0.2 in 2019 (the year of the last release in that line) to mint their most-recent intermediate certificate(s)? Intermediate certificates are typically valid for 10 years or so. On the other hand, I think this is only a problem for keys and not certificates, and it's very unlikely that Tomcat would be used to handle CA key material. Those keys ought to be in HSMs and only used for signing, not for typical web traffic. Since it's already fixed (thanks, Mark!) this is an academic conversation, but I do still think that supporting these types of files is reasonable. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
