> From: owner-openssl-us...@openssl.org On Behalf Of Andy Schmidt > Sent: Wednesday, September 17, 2014 18:28
> I just tracked down an obscure bug in our certificate authentication > code to a change in in the global mask for ASN.1 strings in > crypto/asn1/a_strnid.c. > (https://github.com/openssl/openssl/commit/3009244da47b989c4cc59ba02c > f81a4e9d8f8431) > I have a couple of questions about this: > > 1. Was this change made for a security related reason? > That is, by changing global_mask back to the 1.0.1g initialized value, > are we introducing a security vulnerability? > Going back (probably, depending on the actual string values you use) may encode differently than standards call for. AFAICS there is no direct security impact, but if and to the extent it causes compliance or interop problems, those may indirectly affect security. (Canonical example: browser displays a dialog box about "this certificate may be invalid because $technical_details. 99.999% of users click on the box that says "I don't want this computer gibberish, just connect me to the website even if it is run by thieves so that I can have my money and personal data stolen QUICKLY.) > 2. Is there a changelist somewhere in the source tarball that lists > the 1.0.1g to 1.0.1h revisions? Or a list that outlines changes in the > default settings? > This would be extremely helpful to incorporating newly released 1.0.1 > subversions. The file CHANGES appears to only list security > vulnerabilities. > IME CHANGES generally lists visible (i.e. commandline or API) changes, and internal ones (like refactoring) if they are considered important. You are not the only one visibly unhappy this change was made unlisted. It was apparently made for http://rt.openssl.org/Ticket/Display.html?id=3371 then affirmed by http://rt.openssl.org/Ticket/Display.html?id=3402 and http://rt.openssl.org/Ticket/Display.html?id=3469 . AFAICT rt ticket creations are "published" on openssl-dev, and these two were definitely discussed there. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
