And also in 1.0.1 for the next time we put out a patch.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Fixed in 1.0.2 and master. Even tho the commit message says 3662 not 3552 :(
OpenSSL_1_0_2-stable 129344a RT3662: Allow leading . in nameConstraints
master 77ff1f3 RT3662: Allow leading . in nameConstraints
Author: Dr. Stephen Henson
Date: Tue Jan 6 15:29:28 2015 -0500
RT3662: Allow leading . i
On Thu, Jan 01, 2015 at 02:06:56PM -0500, Salz, Rich wrote:
> > This is a "security issue" in the sense that is a Type-II error
> > (disallowing good
> > guys). It affects thousands of sites and who-knows-how-many users.
>
> Well, kinda. It disallows good guys who made a mistake and are violati
> This is a "security issue" in the sense that is a Type-II error (disallowing
> good
> guys). It affects thousands of sites and who-knows-how-many users.
Well, kinda. It disallows good guys who made a mistake and are violating the
RFC. Sure, they're not written in stone and that particular R
> This is a "security issue" in the sense that is a Type-II error (disallowing
> good
> guys). It affects thousands of sites and who-knows-how-many users.
Well, kinda. It disallows good guys who made a mistake and are violating the
RFC. Sure, they're not written in stone and that particular R
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/31/2014 10:31 AM, Rich Salz via RT wrote:
> This patch from Steve Henson seems better
I am happy with the proposed patch. I have looked at
the code, and also tested it operationally.
The semantics is reasonable.
++ This is what I was arguing
This patch from Steve Henson seems better and a good candidate for 1.0.2 and
master:
> diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c index
> 26a6f67..9b7ca88 100644
> --- a/crypto/x509v3/v3_ncons.c
> +++ b/crypto/x509v3/v3_ncons.c
> @@ -405,7 +405,7 @@ static int nc_dns(ASN1_IA5