Re: x509 AlgorithmIdentifier parameters

Hi Philip, Thank you for your effort in analyzing this bug and finding work-arounds or fixes. We are using a magic script to build all subversion dependencies, e.g. openssl-1.0.2 and cyrus-sasl-2.1.26. I've used the master branch from for compiling

Re: x509 AlgorithmIdentifier parameters

Philip Martin writes: > A client using openssl 1.0 will connect to a server serving the > RSASSA-PSS cert. Clients using openssl 1.1 fail to verify cert. The > underlying openssl 1.1 error appears to be > > $ openssl s_client -connect localhost:8887 -CAfile

Re: x509 AlgorithmIdentifier parameters

Philip Martin writes: > Philip Martin writes: > >> In Marc's case getting a new server cert that is not RSASSA-PSS might be >> the best solution. > > r1822996 fixes the x509 parser on trunk. It doesn't mean that the > client will be able to

Re: x509 AlgorithmIdentifier parameters

Philip Martin writes: > In Marc's case getting a new server cert that is not RSASSA-PSS might be > the best solution. r1822996 fixes the x509 parser on trunk. It doesn't mean that the client will be able to verify the RSASSA-PSS certs (you would need an OpenSSL fix

Re: x509 AlgorithmIdentifier parameters

Philip Martin writes: > Looking back at the original mail it looks as if the error is produced > by x509parse.c:x509_get_alg() via svn_x509_parse_cert(), in particular > it is probably this assumption: > > /* >* assume the algorithm parameters must be NULL >*/

x509 AlgorithmIdentifier parameters

Marc Strapetz writes: > We have cherry-picked your fix onto 1.9.7 tag but unfortunately it > doesn't solve the problem for the user. Looking back at the original mail it looks as if the error is produced by x509parse.c:x509_get_alg() via svn_x509_parse_cert(), in