> On Mar 24, 2016, at 1:09 PM, Szilárd Pfeiffer <[email protected]>
> wrote:
>
> I am afraid the patch causes a serious compatibility break. In practice,
> after an OS upgrade (which upgrades OpenSSL to the patched version) each
> and every application, which calls the X509_verify_cert function
> multiple times without reinitialization, gets an error
> (ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED) which may or may not be handled
> properly. It leads to undefined behavior of the application.
No the patch catches undefined behaviour, and returns an error.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
