On 08/22/2014 12:26 PM, Salz, Rich wrote: > It'd be good to fix this. Behold a patch that seems to fix it: https://www.av8n.com/openssl/bypass-bugfix.diff
The code seems pretty straightforward to me, but on the other hand, I have very little experience coding in the openssl environment, so I might be overlooking something. Somebody should check this pretty closely. A simple way to exhibit the bug (and the fix) as follows: Desired behavior: openssl verify -CAfile av8n-root-ca-cert.pem bypass.jdenker.com-cert.pem bypass.jdenker.com-cert.pem: C = US, CN = bypass.jdenker.com error 47 at 0 depth lookup:permitted subtree violation Observed (unfixed) behavior: openssl verify -CAfile av8n-root-ca-cert.pem bypass.jdenker.com-cert.pem bypass.jdenker.com-cert.pem: OK which is a security lapse. The demonstration certs can be found at: https://www.av8n.com/openssl/av8n-root-ca-cert.pem https://www.av8n.com/openssl/bypass.jdenker.com-cert.pem ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
