Re: [openssl-users] OpenSSL Security Advisory - CVE-2015-1793

2015-07-10 Thread Matt Caswell
On 10/07/15 19:34, R C Delgado wrote: > Hello, > > One further question. Can you please confirm that the alternative > certificate chain feature is enabled by default? It seems to be implied > in all emails regarding this matter, and I'm assuming the Advisory email > would have mentioned it othe

Re: [openssl-users] OpenSSL Security Advisory - CVE-2015-1793

2015-07-10 Thread R C Delgado
Hello, One further question. Can you please confirm that the alternative certificate chain feature is enabled by default? It seems to be implied in all emails regarding this matter, and I'm assuming the Advisory email would have mentioned it otherwise. I've searched the OpenSSL code and seen that

Re: [openssl-users] OpenSSL Security Advisory - CVE-2015-1793

2015-07-10 Thread R C Delgado
Thank you very much. It really helps. On Fri, Jul 10, 2015 at 2:32 PM, Matt Caswell wrote: > > > On 10/07/15 13:09, R C Delgado wrote: > > Hello, > > > > With regards to CVE-2015-1793, I've seen the example in > verify_extra_test.c. > > How deep does the certificate chain have to be? > > If I ha

Re: [openssl-users] OpenSSL Security Advisory - CVE-2015-1793

2015-07-10 Thread Lewis Rosenthal
On 07/10/2015 09:32 AM, Matt Caswell wrote: On 10/07/15 13:09, R C Delgado wrote: Hello, With regards to CVE-2015-1793, I've seen the example in verify_extra_test.c. How deep does the certificate chain have to be? If I have 2 self-signed CA certificates, and a non-CA certificate is received fo

Re: [openssl-users] OpenSSL Security Advisory - CVE-2015-1793

2015-07-10 Thread Matt Caswell
On 10/07/15 13:09, R C Delgado wrote: > Hello, > > With regards to CVE-2015-1793, I've seen the example in verify_extra_test.c. > How deep does the certificate chain have to be? > If I have 2 self-signed CA certificates, and a non-CA certificate is > received for verification, will this hit the

Re: [openssl-users] OpenSSL Security Advisory - CVE-2015-1793

2015-07-10 Thread Salz, Rich
>How deep does the certificate chain have to be? It does not matter. >If I have 2 self-signed CA certificates, and a non-CA certificate is received >for verification, will this hit the problem? >Also, is it a condition of the bug that both CA certificates have to have the >same subject names an

[openssl-users] OpenSSL Security Advisory - CVE-2015-1793

2015-07-10 Thread R C Delgado
Hello, With regards to CVE-2015-1793, I've seen the example in verify_extra_test.c. How deep does the certificate chain have to be? If I have 2 self-signed CA certificates, and a non-CA certificate is received for verification, will this hit the problem? Also, is it a condition of the bug that bo