[cabfpub] OpenSSL OCSP bugs

Ryan Sleevi sleevi at google.com
Sat Aug 20 05:07:29 UTC 2016


On Aug 19, 2016 9:54 PM, "Peter Bowen" <pzb at amzn.com> wrote:
>
>  If you only need to support “current” versions of OpenSSL, you just need
to include an empty sequence in the Basic Response to get OpenSSL to not
fail.  It is only four bytes extra compared to skipping the attribute.  In
my book, it is worth the 4 bytes.

Ah! Apologies, I'd missed that aspect of your original message.

Given that failures are a positive forcing function to upgrades, but that
magic incantations and lore (such as this) live forever because of the fear
of the unknown-unknown, my hope is that CAs would change nothing, OpenSSL
would adopt sane behaviours, and people who encounter breakage would
upgrade.

Then again, I may be being overly optimistic.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160819/9a7cfd6e/attachment-0003.html>


More information about the Public mailing list