On 11/03/2016 01:18, Viktor Dukhovni wrote: > On Fri, Mar 11, 2016 at 12:56:04AM +0100, Jakob Bohm wrote: > >> Your reply below is a perfect illustration of the expected confusion. > Sorry, I disagree. The 1.1.0 changes fix various shortcomings that > may well also be addressed in a future 1.0.2 update. > > The net effect is more consistent behaviour that is the same whether > intermediate certificates are found in the trust-store or obtained > from the peer. The few applications that enable partial chain > support and the likely zero users who've created "decorated" > intermediate certs in the OpenSSL trust store might notice some > change. > > If you strongly feel that the behaviour should be the same for all > users, that sounds like support for backporting the changes, which > is something I will be proposing soon. > You misunderstand completely. I am arguing that: - 1.0.x behavior should not be changed, as it would violate the principle of least surprise for a "security update" to change semantics. - 1.1.0 behavior is better, if it was the only OpenSSL version ever to exist, but it isn't. - Therefore the 1.1.0 behavior should use the CA directory shared with 1.0.x in a way consistent with how 1.0.x uses that directory (as a repository for trust anchors only, as far as I understand your non-replies), while 1.1.0 should store untrusted intermediary certificates in a different directory where they don't affect 1.0.x instances running on the same machine. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160311/314594fc/attachment-0001.html>
