[openssl/openssl] 3eab35: Forbid GEN_OTHERNAME SMTP UTF8 email name constrai...
0 views
Skip to first unread message
Bob Beck
May 7, 2026, 12:12:37 PM (2 days ago) May 7
to openssl...@openssl.org
Branch: refs/heads/master
Home: https://github.com/openssl/openssl
Commit: 3eab35f1752b74a5f09eec4ac9a7d3d73f040ba8
https://github.com/openssl/openssl/commit/3eab35f1752b74a5f09eec4ac9a7d3d73f040ba8
Author: Bob Beck <be...@openssl.org>
Date: 2026-05-07 (Thu, 07 May 2026)
Changed paths:
M crypto/x509/v3_purp.c
Log Message:
-----------
Forbid GEN_OTHERNAME SMTP UTF8 email name constraints.
RFC 9598 States:
Certificate Authorities that wish to issue CA certificates with email
address name constraints MUST use rfc822Name subject alternative names
only. These MUST be IDNA2008-conformant names with no mappings and with
non-ASCII domains encoded in A-labels only.
This appears to be to get around the confusion created if someone
attempts to encode a name constraint for an email address into the
UTF-8 version of the name
Were someone to attempt to support this, not only would you now have
to check two separate sets of name constraints for the same thing, but
would now have to decide what to do if they said different things.
So we just flag any such certficiate as invalid
Reviewed-by: Saša Nedvědický <sas...@openssl.org>
Reviewed-by: Neil Horman <nho...@openssl.org>
MergeDate: Thu May 7 16:09:44 2026
(Merged from https://github.com/openssl/openssl/pull/30329)
Commit: 945cc69f5448b9da2a0ae8ac1e55efa45a442d12
https://github.com/openssl/openssl/commit/945cc69f5448b9da2a0ae8ac1e55efa45a442d12
Author: Bob Beck <be...@openssl.org>
Date: 2026-05-07 (Thu, 07 May 2026)
Changed paths:
A test/certs/bad-cert-smtputf8-name-constraints.pem
M test/recipes/25-test_verify.t
Log Message:
-----------
Add a test for a bogus SMTPUTF8 name constraint in a cert.
We will reject these.
Reviewed-by: Saša Nedvědický <sas...@openssl.org>
Reviewed-by: Neil Horman <nho...@openssl.org>
MergeDate: Thu May 7 16:09:48 2026
(Merged from https://github.com/openssl/openssl/pull/30329)
Compare: https://github.com/openssl/openssl/compare/c8676d939e76...945cc69f5448
To unsubscribe from these emails, change your notification settings at https://github.com/openssl/openssl/settings/notifications
Home: https://github.com/openssl/openssl
Commit: 3eab35f1752b74a5f09eec4ac9a7d3d73f040ba8
https://github.com/openssl/openssl/commit/3eab35f1752b74a5f09eec4ac9a7d3d73f040ba8
Author: Bob Beck <be...@openssl.org>
Date: 2026-05-07 (Thu, 07 May 2026)
Changed paths:
M crypto/x509/v3_purp.c
Log Message:
-----------
Forbid GEN_OTHERNAME SMTP UTF8 email name constraints.
RFC 9598 States:
Certificate Authorities that wish to issue CA certificates with email
address name constraints MUST use rfc822Name subject alternative names
only. These MUST be IDNA2008-conformant names with no mappings and with
non-ASCII domains encoded in A-labels only.
This appears to be to get around the confusion created if someone
attempts to encode a name constraint for an email address into the
UTF-8 version of the name
Were someone to attempt to support this, not only would you now have
to check two separate sets of name constraints for the same thing, but
would now have to decide what to do if they said different things.
So we just flag any such certficiate as invalid
Reviewed-by: Saša Nedvědický <sas...@openssl.org>
Reviewed-by: Neil Horman <nho...@openssl.org>
MergeDate: Thu May 7 16:09:44 2026
(Merged from https://github.com/openssl/openssl/pull/30329)
Commit: 945cc69f5448b9da2a0ae8ac1e55efa45a442d12
https://github.com/openssl/openssl/commit/945cc69f5448b9da2a0ae8ac1e55efa45a442d12
Author: Bob Beck <be...@openssl.org>
Date: 2026-05-07 (Thu, 07 May 2026)
Changed paths:
A test/certs/bad-cert-smtputf8-name-constraints.pem
M test/recipes/25-test_verify.t
Log Message:
-----------
Add a test for a bogus SMTPUTF8 name constraint in a cert.
We will reject these.
Reviewed-by: Saša Nedvědický <sas...@openssl.org>
Reviewed-by: Neil Horman <nho...@openssl.org>
MergeDate: Thu May 7 16:09:48 2026
(Merged from https://github.com/openssl/openssl/pull/30329)
Compare: https://github.com/openssl/openssl/compare/c8676d939e76...945cc69f5448
To unsubscribe from these emails, change your notification settings at https://github.com/openssl/openssl/settings/notifications
Reply all
Reply to author
Forward
0 new messages