[Pkg-openssl-changes] r435 - in openssl/branches/etch: crypto/x509 debian

Kurt Roeckx kroeckx at alioth.debian.org
Fri Sep 11 15:08:40 UTC 2009 

Author: kroeckx
Date: 2009-09-11 15:08:40 +0000 (Fri, 11 Sep 2009)
New Revision: 435

Modified:
   openssl/branches/etch/crypto/x509/x509_vfy.c
   openssl/branches/etch/debian/changelog
Log:
Don't check self signed certificate signatures in X509_verify_cert()
(Closes: #541735)


Modified: openssl/branches/etch/crypto/x509/x509_vfy.c
===================================================================
--- openssl/branches/etch/crypto/x509/x509_vfy.c	2009-09-11 15:07:29 UTC (rev 434)
+++ openssl/branches/etch/crypto/x509/x509_vfy.c	2009-09-11 15:08:40 UTC (rev 435)
@@ -974,7 +974,11 @@
 	while (n >= 0)
 		{
 		ctx->error_depth=n;
-		if (!xs->valid)
+
+		/* Skip signature check for self signed certificates. It
+		 * doesn't add any security and just wastes time.
+		 */
+		if (!xs->valid && xs != xi)
 			{
 			if ((pkey=X509_get_pubkey(xi)) == NULL)
 				{
@@ -984,13 +988,6 @@
 				if (!ok) goto end;
 				}
 			else if (X509_verify(xs,pkey) <= 0)
-				/* XXX  For the final trusted self-signed cert,
-				 * this is a waste of time.  That check should
-				 * optional so that e.g. 'openssl x509' can be
-				 * used to detect invalid self-signatures, but
-				 * we don't verify again and again in SSL
-				 * handshakes and the like once the cert has
-				 * been declared trusted. */
 				{
 				ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
 				ctx->current_cert=xs;

Modified: openssl/branches/etch/debian/changelog
===================================================================
--- openssl/branches/etch/debian/changelog	2009-09-11 15:07:29 UTC (rev 434)
+++ openssl/branches/etch/debian/changelog	2009-09-11 15:08:40 UTC (rev 435)
@@ -1,3 +1,10 @@
+openssl (0.9.8c-4etch9) oldstable-security; urgency=low
+
+  * Don't check self signed certificate signatures in X509_verify_cert()
+    (Closes: #541735)
+
+ -- Kurt Roeckx <kurt at roeckx.be>  Fri, 11 Sep 2009 17:08:07 +0200
+
 openssl (0.9.8c-4etch8) oldstable-security; urgency=low
 
   * Remove MD2 from digest algorithm table.  (CVE-2009-2409) (Closes: #539899)

More information about the Pkg-openssl-changes mailing list