Forum: >>> Magnum BBS <<<

Bug#1103469: bookworm-pu: package openssl/openssl_3.0.16-1~deb12u1 (6/1

From Sebastian Andrzej Siewior@21:1/5 to All on Fri Apr 18 00:10:01 2025

[continued from previous message]

-The Netscape certificate type must be absent or it must have the SSL CA bit set.
-This is used as a work around if the basicConstraints extension is absent.
-
-=item B<SSL Server>
-
-The extended key usage extension must be absent or include the "web server -authentication" and/or one of the SGC OIDs. The keyUsage extension must be -absent or it
-must have the digitalSignature, the keyEncipherment set or both bits set.
-The Netscape certificate type must be absent or have the SSL server bit set. +Any given extended key usage extension must allow for C<clientAuth>
+("TLS WWW client authentication").
+
+For target certificates,
+the key usage must allow for C<digitalSignature> and/or C<keyAgreement>.
+The Netscape certificate type must be absent or have the SSL client bit set.
+
+For all other certificates the normal CA checks apply. In addition,
+the Netscape certificate type must be absent or have the SSL CA bit set.
+This is used as a workaround if the basicConstraints extension is absent.

-=item B<SSL Server CA>
+=item B<(D)TLS Server> (C<sslserver>)

-The extended key usage extension must be absent or include the "web server -authentication" and/or one of the SGC OIDs. The Netscape certificate type must
-be absent or the SSL CA bit must be set.
-This is used as a work around if the basicConstraints extension is absent. +Any given extended key usage extension must allow for C<serverAuth>
+("TLS WWW server authentication") and/or include one of the SGC OIDs.

-=item B<Netscape SSL Server>
+For target certificates, the key usage must
+allow for C<digitalSignature>, C<keyEncipherment>, and/or C<keyAgreement>. +The Netscape certificate type must be absent or have the SSL server bit set.

-For Netscape SSL clients to connect to an SSL server it must have the -keyEncipherment bit set if the keyUsage extension is present. This isn't
+For all other certificates the normal CA checks apply. In addition,
+the Netscape certificate type must be absent or have the SSL CA bit set.
+This is used as a workaround if the basicConstraints extension is absent.
+
+=item B<Netscape SSL Server> (C<nssslserver>)
+
+In addition to what has been described for B<sslserver>, for a Netscape
+SSL client to connect to an SSL server, its EE certficate must have the +B<keyEncipherment> bit set if the keyUsage extension is present. This isn't
always valid because some cipher suites use the key for digital signing.
Otherwise it is the same as a normal SSL server.

-=item B<Common S/MIME Client Tests>
+=item B<Common S/MIME Checks>
+
+Any given extended key usage extension must allow for C<emailProtection>.

-The extended key usage extension must be absent or include the "email -protection" OID. The Netscape certificate type must be absent or should have the
-S/MIME bit set. If the S/MIME bit is not set in the Netscape certificate type +For target certificates,
+the Netscape certificate type must be absent or should have the S/MIME bit set.
+If the S/MIME bit is not set in the Netscape certificate type
then the SSL client bit is tolerated as an alternative but a warning is shown.
This is because some Verisign certificates don't set the S/MIME bit.

-=item B<S/MIME Signing>
+For all other certificates the normal CA checks apply. In addition,
+the Netscape certificate type must be absent or have the S/MIME CA bit set. +This is used as a workaround if the basicConstraints extension is absent.
+
+=item B<S/MIME Signing> (C<smimesign>)
+
+In addition to the common S/MIME checks, for target certficiates
+the key usage must allow for C<digitalSignature> and/or B<nonRepudiation>.
+
+=item B<S/MIME Encryption> (C<smimeencrypt>)
+
+In addition to the common S/MIME checks, for target certficiates
+the key usage must allow for C<keyEncipherment>.

-In addition to the common S/MIME client tests the digitalSignature bit or
-the nonRepudiation bit must be set if the keyUsage extension is present. +=item B<CRL Signing> (C<crlsign>)

-=item B<S/MIME Encryption>
+For target certificates, the key usage must allow for C<cRLSign>.

-In addition to the common S/MIME tests the keyEncipherment bit must be set
-if the keyUsage extension is present.
+For all other certifcates the normal CA checks apply.
+Except in this case the basicConstraints extension must be present.

-=item B<S/MIME CA>
+=item B<OCSP Helper> (C<ocsphelper>)

-The extended key usage extension must be absent or include the "email -protection" OID. The Netscape certificate type must be absent or must have the
-S/MIME CA bit set.
-This is used as a work around if the basicConstraints extension is absent. +For target certificates, no checks are performed at this stage,
+but special checks apply; see L<OCSP_basic_verify(3)>.

-=item B<CRL Signing>
+For all other certifcates the normal CA checks apply.

-The keyUsage extension must be absent or it must have the CRL signing bit -set.
+=item B<Timestamp Signing> (C<timestampsign>)

-=item B<CRL Signing CA>
+For target certificates, if the key usage extension is present, it must include
+C<digitalSignature> and/or C<nonRepudiation> and must not include other bits. +The EKU extension must be present and contain C<timeStamping> only.
+Moreover, it must be marked as critical.

-The normal CA tests apply. Except in this case the basicConstraints extension -must be present.
+For all other certifcates the normal CA checks apply.

=back

@@ -671,6 +706,7 @@
=head1 SEE ALSO

L<X509_verify_cert(3)>,
+L<OCSP_basic_verify(3)>,
L<openssl-verify(1)>,
L<openssl-ocsp(1)>,
L<openssl-ts(1)>,
diff -Nru openssl-3.0.15/doc/man3/ASN1_aux_cb.pod openssl-3.0.16/doc/man3/ASN1_aux_cb.pod
--- openssl-3.0.15/doc/man3/ASN1_aux_cb.pod 2024-09-03 15:30:13.000000000 +0200
+++ openssl-3.0.16/doc/man3/ASN1_aux_cb.pod 2025-02-11 15:47:41.000000000 +0100
@@ -87,7 +87,7 @@
=item I<asn1_cb>

A callback that will be invoked at various points during the processing of -the the B<ASN1_VALLUE>. See below for further details.
+the B<ASN1_VALUE>. See below for further details.

=item I<enc_offset>

@@ -97,7 +97,7 @@
=item I<asn1_const_cb>

A callback that will be invoked at various points during the processing of -the the B<ASN1_VALLUE>. This is used in preference to the I<asn1_cb> callback if
+the B<ASN1_VALUE>. This is used in preference to the I<asn1_cb> callback if
the B<ASN1_AFLG_CONST_CB> flag is set. See below for further details.

=back
@@ -274,7 +274,7 @@

=head1 COPYRIGHT

-Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "L

Who's Online
Recent Visitors
- Logan
  Sun Jun 8 15:24:00 2025
  from Adelaide via Telnet
- Plume
  Sun Jun 8 14:13:27 2025
  from Uk via SSH
- Bob Worm
  Sun Jun 8 13:48:17 2025
  from Wales, Uk via Telnet
- Jack
  Sun Jun 8 06:41:19 2025
  from Mississipi via Telnet
- Centurion
  Sun Jun 8 00:08:04 2025
  from Berea, Ohio via Telnet
- Centurion
  Sat Jun 7 21:52:22 2025
  from Berea, Ohio via Telnet
- Tnmoc
  Sat Jun 7 13:44:20 2025
  from Milton Keynes via Telnet
- Tnmoc
  Sat Jun 7 13:40:01 2025
  from Milton Keynes via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	488
Nodes:	16 (2 / 14)
Uptime:	05:38:10
Calls:	9,663
Calls today:	5
Files:	13,711
Messages:	6,166,857
Posted today:	2

Bug#1103469: bookworm-pu: package openssl/openssl_3.0.16-1~deb12u1 (6/1

Who's Online

Recent Visitors

System Info