[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: x509 AlgorithmIdentifier parameters

From: Philip Martin <philip_at_codematters.co.uk>
Date: Thu, 08 Feb 2018 19:58:38 +0000

Thomas Singer <thomas.singer_at_syntevo.com> writes:

> Hi Philip,
>
> Thank you for your effort in analyzing this bug and finding
> work-arounds or fixes.
>
> We are using a magic script to build all subversion dependencies,
> e.g. openssl-1.0.2 and cyrus-sasl-2.1.26. I've used the master branch
> from <https://github.com/openssl/openssl> for compiling (~163MB for
> the master vs. ~24MB for version 1.0.2) which seems to have compiled
> fine, but unfortunately the cyrus-sasl-2.1.26 fails to build. Without
> actually understanding what happens there under the hood, I'm a little
> bit lost. Should cyrus-sasl also be updated to be compatible with the
> openssl master?

I would strongly recommend against using OpenSSL 1.1.1-dev for anything
other than testing.

On the systems I have here OpenSSL 1.0 will verify an RSASSA-PSS cert
while OpenSSL 1.1 has introduced a new check that RSASSA-PSS certs fail.
OpenSSL 1.1.1-dev has made extensive changes to the new check and
RSASSA-PSS certs pass once again.

If you want to accept RSASSA-PSS certs then using openssl 1.0 is
probably your best bet. With patches I posted it is possible to use
openssl 1.1 but only by temporarily accepting the cert on every
connection. Using openssl 1.0 comes with the caveat that it is possibly
less secure than 1.1 when dealing with certs that are not RSASSA-PSS,
however openssl 1.0 is still widely used.

-- 
Philip
Received on 2018-02-08 20:58:51 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.