Thinking very hard about switching to another #SSL. From today's #openssl security advisory: During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. This sounds to me like a hopeless code base. It's been patched and patched and patched and with today's complexity is probably worse than any spaghetti code I ever saw when I was a programmer 35-40 years ago. !security

Thinking very hard about switching to another #SSL. From today's #openssl security advisory:

During certificate verification, OpenSSL (starting from version 1.0.1n and
1.0.2b) will attempt to find an alternative certificate chain if the first
attempt to build such a chain fails. An error in the implementation of this
logic can mean that an attacker could cause certain checks on untrusted
certificates to be bypassed, such as the CA flag, enabling them to use a valid
leaf certificate to act as a CA and "issue" an invalid certificate.

This sounds to me like a hopeless code base. It's been patched and patched and patched and with today's complexity is probably worse than any spaghetti code I ever saw when I was a programmer 35-40 years ago. !security