Matt Caswell <m...@openssl.org> wrote:
> Using the cert/data files you provided me off-list (thanks), I was able to
> confirm the above and narrow it down further to the following commit:
What had produced the signatures?
> In some cases, the damage is permanent and the spec deviation and
> security risk becomes a tax all implementors must forever pay, but not
> here. Both BoringSSL and Go successfully implemented and deployed
> RSASSA-PKCS1-v1_5 as specified since their respective beginnings, so
> this change should be compatible enough to pin down in future OpenSSL
> releases.
> So, based on the above description, it appears that older versions of
OpenSSL
> were unduly lenient in tolerating incorrectly formatted signatures. As a
> security hardening measure that tolerance was removed. If you want to
know more
> then David Benjamin may be able to expand.
Did openssl ever produce these wrong signatures?
signature.asc
Description: PGP signature
