subversion-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Philip Martin <>
Subject Re: x509 AlgorithmIdentifier parameters
Date Thu, 08 Feb 2018 19:58:38 GMT
Thomas Singer <> writes:

> Hi Philip,
> Thank you for your effort in analyzing this bug and finding
> work-arounds or fixes.
> We are using a magic script to build all subversion dependencies,
> e.g. openssl-1.0.2 and cyrus-sasl-2.1.26. I've used the master branch
> from <> for compiling (~163MB for
> the master vs. ~24MB for version 1.0.2) which seems to have compiled
> fine, but unfortunately the cyrus-sasl-2.1.26 fails to build. Without
> actually understanding what happens there under the hood, I'm a little
> bit lost. Should cyrus-sasl also be updated to be compatible with the
> openssl master?

I would strongly recommend against using OpenSSL 1.1.1-dev for anything
other than testing.

On the systems I have here OpenSSL 1.0 will verify an RSASSA-PSS cert
while OpenSSL 1.1 has introduced a new check that RSASSA-PSS certs fail.
OpenSSL 1.1.1-dev has made extensive changes to the new check and
RSASSA-PSS certs pass once again.

If you want to accept RSASSA-PSS certs then using openssl 1.0 is
probably your best bet.  With patches I posted it is possible to use
openssl 1.1 but only by temporarily accepting the cert on every
connection.  Using openssl 1.0 comes with the caveat that it is possibly
less secure than 1.1 when dealing with certs that are not RSASSA-PSS,
however openssl 1.0 is still widely used.


View raw message