On Wed, Sep 07, 2011 at 10:06:55PM -0500, Raphael Geissert wrote: > On Wednesday 07 September 2011 10:57:51 Raphael Geissert wrote: > > On Monday 05 September 2011 14:55:50 Kurt Roeckx wrote: > > > So you're basicly saying that X509_verify_cert() should give an > > > error in case it finds DigiNotar somewhere in the chain? > > > > > > I'm not opposed to such a change, but would like to see a better > > > option in the future. > > > > Yes. I will try to spend some time with a debugger later today to find the > > right place to implement such check. Or do you have any hint? (the cn > > validation functions didn't seem to be executed in one case I tried) > > Attached is the first version of patch against the 1.0.0 series that does > that. > I implemented it in check_name_constraints, but given that 0.9.8 doesn't have > support for name constraints I might as well move it to a separate function. > I've tested it on the rogue *.google.com cert with verify(1) and a few > others > with different clients (tried the urls mentioned on the bug report, of which > only ingcommercialbanking still uses a DigiNotar cert.) > Attached are a bundle of the certs needed to verify(1) the rogue google cert, > and the rogue cert itself. Perhaps they could be included in the test suite. > > The patch for 0.9.8 is also attached, but I haven't tested it yet. It was > made > based on squeeze's openssl and it seems to apply fine to lenny's openssl > (just > a few lines of difference.)
I wonder why you don't use the same patch for both. I think the check_name_constraints() actually tries to test something else, like that it's a well-formed name or something. So the new function makes more sense to me. Looking at the patch, it seems to make sense to me. > Kurt, what do you think? would upstream be interested in the patch, or at > least in reviewing it? I can always try and ask them. Kurt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
