Thinking very hard about switching to another #SSL. From today's #openssl security advisory:
During certificate verification, OpenSSL (starting from version 1.0.1n and
1.0.2b) will attempt to find an alternative certificate chain if the first
attempt to build such a chain fails. An error in the implementation of this
logic can mean that an attacker could cause certain checks on untrusted
certificates to be bypassed, such as the CA flag, enabling them to use a valid
leaf certificate to act as a CA and "issue" an invalid certificate.
This sounds to me like a hopeless code base. It's been patched and patched and patched and with today's complexity is probably worse than any spaghetti code I ever saw when I was a programmer 35-40 years ago. !security
Quadronyx (QDNX) uBlog
Contact uqdnx2013@qdnx.org for a free account here.
Notices where this attachment appears
Tags for this attachment
Quadronyx (QDNX) uBlog is a microblogging service brought to you by Quadronyx. It runs the StatusNet microblogging software, version 1.1.0-release, available under the GNU Affero General Public License.
All Quadronyx (QDNX) uBlog content and data are available under the Creative Commons Attribution 3.0 license.