This patch from Steve Henson seems better and a good candidate for 1.0.2 and master:
> diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c index > 26a6f67..9b7ca88 100644 > --- a/crypto/x509v3/v3_ncons.c > +++ b/crypto/x509v3/v3_ncons.c > @@ -405,7 +405,7 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base) > if (dns->length > base->length) > { > dnsptr += dns->length - base->length; > - if (dnsptr[-1] != '.') > + if (*baseptr != '.' && dnsptr[-1] != '.') > return X509_V_ERR_PERMITTED_VIOLATION; > } > > -- Rich Salz, OpenSSL dev team; rs...@openssl.org _______________________________________________ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev