Why wasn't the fix for IP name restrictions included in 1.0.2 ?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Why wasn't the fix for IP name restrictions included in 1.0.2 ?

Jakob Bohm-7
Way back in May 2014, there was a patch by Matt Casswell to not
incorrectly reject all certificate chains with IP address name
constraints and actual IP address names
(dd36fce023a64d90058b8fefbd95dadaca98f9ca).

However for some unknown reason, this was not included in 1.0.2
which thus still rejects all such certificate chains.

Why?


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Why wasn't the fix for IP name restrictions included in 1.0.2 ?

OpenSSL - User mailing list

➢     However for some unknown reason, this was not included in 1.0.2
    which thus still rejects all such certificate chains.
   
Because it was seen to be a feature, not a bug-fix?

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Why wasn't the fix for IP name restrictions included in 1.0.2 ?

Jakob Bohm-7
On 14/09/2017 23:06, Salz, Rich via openssl-users wrote:
> ➢     However for some unknown reason, this was not included in 1.0.2
>      which thus still rejects all such certificate chains.
>      
> Because it was seen to be a feature, not a bug-fix?
>
But the patch was put in git almost 10 months before 1.0.2 initial
release.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Why wasn't the fix for IP name restrictions included in 1.0.2 ?

OpenSSL - User mailing list

➢     But the patch was put in git almost 10 months before 1.0.2 initial release.
   
We weren’t using git back then.  So maybe it’s a bad/confusing import.  Maybe matt can explain.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Why wasn't the fix for IP name restrictions included in 1.0.2 ?

Matt Caswell-2


On 15/09/17 00:05, Salz, Rich via openssl-users wrote:
>
> ➢     But the patch was put in git almost 10 months before 1.0.2 initial release.
>    
> We weren’t using git back then.  So maybe it’s a bad/confusing import.  Maybe matt can explain.
>

Actually I think we were using git at that point. I calculate it at
about 8 months at the point of that commit before the 1.0.2 release.

IIRC 1.0.2 had a very long and protracted release period. It actually
went into beta at the end of February 2014. Shortly afterwards
heartbleed hit and we had our minds on other things for a bit, so it
didn't get released until January 2015. The 1.0.2 branch was in "feature
freeze" during that whole period - so that is almost certainly the
reason why this wasn't backported.

Perhaps if we had realised in May 2014 that we weren't going to release
1.0.2 for another 8 months then we might have made different decisions.

Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users