Mail archive
alpine-devel

Re: [alpine-devel] Proposed change: openssl 1.1 as default system openssl implementation

From: Kevin Chadwick <m8il1ists_at_gmail.com>
Date: Sat, 10 Feb 2018 15:45:13 +0000

On Sat, 10 Feb 2018 08:31:26 -0600


> For the n-th time, there is nothing to discuss, LibreSSL removed SAFE
> date calculation code and replaced it with code that is only SAFE
> under a specific precondition: 64-bit time_t. Then they made it
> blindly accept ANY certificate that overflows the time_t if it's
> smaller than 64-bit, which is COMPLETELY UNSAFE AND ARGUABLY A
> SECURITY PROBLEM BECAUSE IT MEANS A CERT THAT EXPIRES BEFORE 1970 IS
> NOW POTENTIALLY VALID. Don't believe me? Generate a certificate that
> computes as 0xfffffff time_t on 32-bit and you win. Really, you do!
> If they care about portability, they should revert this change.

Yet there is no mention of TAI64N or this as far as I can see on the
libressl mailing list. I cross posted because reluctance to communicate
between Linux and OpenBSD devs is well known. OpenBSD devs are blunt
but they don't have time to be anything else.

I guess that issue PRE 1970 issue would not apply to OpenSSH but you
would probably find that your argument about a CERT expiring before
1970 has been considered and found to be a red herring or they would
help you but no YOU HAVEN'T EVEN DISCUSSED YOUR PROBLEM.

Where would they get a 1970 cert from that was trusted?


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Sat Feb 10 2018 - 15:45:13 GMT