On Thu, 2005-01-20 at 15:54 -0500, Jim Schneider wrote: > On Thursday 20 January 2005 15:27, Samuel Meder wrote: > > On Thu, 2005-01-20 at 15:16 -0500, Rich Salz wrote: > > > > My point is that OpenSSL does work even if the list of certificates > > > > does not comply to to RFC2246 ... which seems bad to me > > -<snipped>- > > > If you feel that tightening up is not worth the risk that is fine. We'll > > either just carry a patch or ignore the problem. I really just wanted to > > gauge the situation. > > Could your patch be controlled by an option to the SSL or SSL_CTX object? > That way we can go forward with stricter checking in the future, and the > possibility of turning off the checking easily at the application level if > bug-for-bug compatibility dictates.
Yea, that should not be too hard. The question still is whether the default should be the current behavior or the stricter checking. If such a patch got accepted it would not matter much from out perspective (we would just turn on the stricter checking in our application). Thoughts? In any case, I guess I'll go ahead and produce a patch at this point. /Sam > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- Sam Meder <[EMAIL PROTECTED]> The Globus Alliance - University of Chicago 630-252-1752 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
